From bfba223c172e94f25f2f522b797cfe4a0d453d00 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Tue, 12 Mar 2024 15:18:42 +0000 Subject: [PATCH] feat: First steps of V1.28 based on Alpine 3.19 --- Dockerfile | 12 +-- Makefile | 2 +- abuilder | 2 +- kubezero/aws-iam-authenticator/APKBUILD | 4 +- kubezero/cri-o/APKBUILD | 24 ++++-- kubezero/cri-o/crio.initd | 1 + kubezero/cri-tools/APKBUILD | 8 +- kubezero/ecr-credential-provider/APKBUILD | 4 +- kubezero/falco-kernel/APKBUILD | 65 ++++++++++------ kubezero/falco/APKBUILD | 20 +++-- kubezero/fluent-bit/APKBUILD | 6 +- kubezero/fluent-bit/fluent-bit.initd | 2 +- kubezero/kubernetes/APKBUILD | 15 ++-- kubezero/kubernetes/kubelet.initd | 3 +- kubezero/kubezero/APKBUILD | 34 ++++++--- kubezero/kubezero/credential-provider.yaml | 4 +- kubezero/kubezero/crio.monit | 4 + kubezero/zdt-base/APKBUILD | 15 ++-- kubezero/zdt-base/cloudbender-early.init | 3 +- kubezero/zdt-base/cloudbender.init | 5 +- kubezero/zdt-base/common.sh | 88 ++++++++++++++-------- kubezero/zdt-base/syslog-ng.conf | 9 ++- kubezero/zdt-base/write_parameters.py | 63 ++++++++++++++++ kubezero/zdt-base/zdt-sysctl.conf | 1 + 24 files changed, 273 insertions(+), 121 deletions(-) create mode 100644 kubezero/kubezero/crio.monit create mode 100644 kubezero/zdt-base/write_parameters.py diff --git a/Dockerfile b/Dockerfile index 3f2284b..5d8aefc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,13 +1,11 @@ -FROM alpine:3.18 -ARG ALPINE="v3.18" +FROM alpine:3.19 +ARG ALPINE="v3.19" ARG BUILDUSER=alpine RUN echo "http://dl-cdn.alpinelinux.org/alpine/${ALPINE}/main" > /etc/apk/repositories && \ echo "http://dl-cdn.alpinelinux.org/alpine/${ALPINE}/community" >> /etc/apk/repositories && \ echo "@edge-main http://dl-cdn.alpinelinux.org/alpine/edge/main" >> /etc/apk/repositories && \ - echo "@edge-community http://dl-cdn.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories && \ - echo "@kubezero https://cdn.zero-downtime.net/alpine/${ALPINE}/kubezero" >> /etc/apk/repositories && \ - wget -q -O /etc/apk/keys/stefan@zero-downtime.net-61bb6bfb.rsa.pub https://cdn.zero-downtime.net/alpine/stefan@zero-downtime.net-61bb6bfb.rsa.pub + echo "@edge-community http://dl-cdn.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories RUN apk -U --no-cache upgrade && \ apk --no-cache add \ @@ -24,7 +22,9 @@ RUN adduser -D $BUILDUSER && \ install -d -g abuild -m 775 /var/cache/distfiles && \ install -d -g abuild -m 775 /packages && \ echo -e "$BUILDUSER:1:999\n$BUILDUSER:1001:64535" > /etc/subuid && \ - echo -e "$BUILDUSER:1:999\n$BUILDUSER:1001:64535" > /etc/subgid + echo -e "$BUILDUSER:1:999\n$BUILDUSER:1001:64535" > /etc/subgid && \ + echo "@kubezero https://cdn.zero-downtime.net/alpine/${ALPINE}/kubezero" >> /etc/apk/repositories && \ + wget -q -O /etc/apk/keys/stefan@zero-downtime.net-61bb6bfb.rsa.pub https://cdn.zero-downtime.net/alpine/stefan@zero-downtime.net-61bb6bfb.rsa.pub COPY abuilder aarch64-toolchain.sh /usr/bin/ diff --git a/Makefile b/Makefile index f86445b..7ecff09 100644 --- a/Makefile +++ b/Makefile @@ -4,7 +4,7 @@ REGION := us-east-1 include .ci/podman.mk -BUILDER := v3.18.4 +BUILDER := v3.19.1 PKG := '*' CF_DIST := E11OFTOA3L8IVY diff --git a/abuilder b/abuilder index 0e5577f..48b115d 100755 --- a/abuilder +++ b/abuilder @@ -11,7 +11,7 @@ if [ "$1" = 'aarch64-toolchain' ]; then else # Set ENV for cross compile for aarch64 if [ "$2" = "cross-arm64" ]; then - ALPINE="v3.18" + ALPINE="v3.19" TARGET_ARCH=aarch64 SUDO_APK=abuild-apk APORTS=/home/alpine/aports diff --git a/kubezero/aws-iam-authenticator/APKBUILD b/kubezero/aws-iam-authenticator/APKBUILD index 458149e..868a25f 100644 --- a/kubezero/aws-iam-authenticator/APKBUILD +++ b/kubezero/aws-iam-authenticator/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Stefan Reimer # Maintainer: Stefan Reimer pkgname=aws-iam-authenticator -pkgver=0.6.10 +pkgver=0.6.11 pkgrel=0 pkgdesc="AWS aws-iam-authenticator" url="https://github.com/kubernetes-sigs/aws-iam-authenticator" @@ -20,5 +20,5 @@ package() { } sha512sums=" -2b5da6dfbec1f5483ead8da280de8dd719b71157a9bfa4751c015dbc77a4f4c01a59486015cd2231ffb4232a0bf4a35ef843007605dd0b9fffd51ca0208f8fda aws-iam-authenticator-0.6.10.tar.gz +6d78fbe95d6e36a7a3835b4df257e96fff3ab53fe4abd8ef525c24aebaf8727e2a6016107024bebe031b2e24295172190407ca892d1b3478329c62cdd9fe553f aws-iam-authenticator-0.6.11.tar.gz " diff --git a/kubezero/cri-o/APKBUILD b/kubezero/cri-o/APKBUILD index 56222b1..8160594 100644 --- a/kubezero/cri-o/APKBUILD +++ b/kubezero/cri-o/APKBUILD @@ -3,7 +3,7 @@ # Contributor: TBK # Maintainer: ungleich pkgname=cri-o -pkgver=1.26.4 +pkgver=1.27.1 pkgrel=0 pkgdesc="OCI-based implementation of Kubernetes Container Runtime Interface" url="https://github.com/cri-o/cri-o/" @@ -14,8 +14,8 @@ license="Apache-2.0" options="net chmod-clean !check" depends=" cni-plugins - conntrack-tools conmon + conntrack-tools containers-common iproute2 iptables @@ -33,6 +33,7 @@ makedepends=" libselinux-dev lvm2-dev ostree-dev + sqlite-dev tzdata " checkdepends="bats cri-tools jq parallel sudo conmon" @@ -40,9 +41,10 @@ subpackages=" $pkgname-doc $pkgname-bash-completion $pkgname-zsh-completion - $pkgname-fish-completion $pkgname-openrc " + #$pkgname-fish-completion + source=" $pkgname-$pkgver.tar.gz::https://github.com/cri-o/cri-o/archive/v$pkgver/cri-o-$pkgver.tar.gz crio.conf @@ -70,7 +72,7 @@ export GOBIN="$GOPATH/bin" build() { # https://github.com/cri-o/cri-o/blob/master/install.md#build-tags - make BUILDTAGS="seccomp selinux apparmor containers_image_openpgp containers_image_ostree_stub" + make BUILDTAGS="libsqlite3 seccomp selinux apparmor containers_image_openpgp containers_image_ostree_stub" } check() { @@ -78,11 +80,17 @@ check() { } package() { - make DESTDIR="$pkgdir" PREFIX=/usr CRICTL_CONFIG_DIR="/etc/crio" OCIUMOUNTINSTALLDIR="/etc/crio" install + make \ + DESTDIR="$pkgdir" \ + PREFIX=/usr \ + CRICTL_CONFIG_DIR="/etc/crio" \ + OCIUMOUNTINSTALLDIR="/etc/crio" \ + FISHINSTALLDIR=/usr/share/fish/vendor_completions.d \ + install.bin-nobuild install.man-nobuild install.completions install.config-nobuild # We want it in etc so apk does not overwrite it mkdir -p "$pkgdir"/usr/share/oci-umount/oci-umount.d/ - ln -sf /etc/crio/crio-umount.conf "$pkgdir"/usr/share/oci-umount/oci-umount.d/crio-umount.conf + ln -sf ../../../../etc/crio/crio-umount.conf "$pkgdir"/usr/share/oci-umount/oci-umount.d/crio-umount.conf # The CNI plugins are recommended to be installed as examples install -Dm644 contrib/cni/*.conflist -t "$pkgdir"/usr/share/doc/cri-o/examples/cni/ @@ -95,9 +103,9 @@ package() { } sha512sums=" -99bf6b438da236491fcc33ddaa28aeb381fc40c04138918be98fca1117132c5616598e4d758a6852071a67e4884895494b091c9206490a964a559723f77b84e7 cri-o-1.26.4.tar.gz +27fb79141dd60c1744df8761a4d43603256f7f06e32d2f9c76be62b95dcf62924c7501d0461efabb013ae397c16030b6a2b037eeaae7a5daec7c28943f71bc7e cri-o-1.27.1.tar.gz 1f60719677295c9c5c615eb25d9159bde0af68a132eee67747f57fe76642d457c98c896c6189f85637d7b4ac24ba55fd9eaeb1699f43c3c5077b645f72a479fb crio.conf -cfc4c144931400023e6642fa0b9880f0e3c09c187542905ca56044cedafb5e1f1d49708e4352233abee4e02181155c02fc9688bf93202fc8d80dfc1ffc90699b crio.initd +e9149cc2ddd24328c5290d3aea895c01e2798e066897535384f615a556496acdd52a603a0f4ac3c4c70bd5c363592f23c8b4d1987bf738300112fc62e1def555 crio.initd 1115228546a696eeebeb6d4b3e5c3152af0c99a2559097fc5829d8b416d979c457b4b1789e0120054babf57f585d3f63cbe49949d40417ae7aab613184bf4516 crio.logrotated 0a567dfa431ab1e53f2a351689be8d588a60cc5fcdbda403ec4f8b6ab9b1c18ad425f6c47f9a5ab1491e3a61a269dc4efa6a59e91e7521fa2b6bb165074aa8e0 cni-plugins-path.patch f9577aa7b1c90c6809010e9e406e65092251b6e82f6a0adbc3633290aa35f2a21895e1a8b6ba4b6375dcad3e02629b49a34ab16387e1c36eeb32c8f4dac74706 makefile-fix-install.patch diff --git a/kubezero/cri-o/crio.initd b/kubezero/cri-o/crio.initd index 3a1ac9a..c95c3a6 100755 --- a/kubezero/cri-o/crio.initd +++ b/kubezero/cri-o/crio.initd @@ -16,6 +16,7 @@ start_stop_daemon_args="-N 1 \ depend() { need net + use dns } checkconfig() { diff --git a/kubezero/cri-tools/APKBUILD b/kubezero/cri-tools/APKBUILD index 8b81337..7b219fb 100644 --- a/kubezero/cri-tools/APKBUILD +++ b/kubezero/cri-tools/APKBUILD @@ -1,11 +1,11 @@ # Contributor: Francesco Colista # Maintainer: Francesco Colista pkgname=cri-tools -pkgver=1.26.1 -pkgrel=1 +pkgver=1.27.1 +pkgrel=0 pkgdesc="CLI tool for Kubelet Container Runtime Interface (CRI)" url="https://github.com/kubernetes-sigs/cri-tools" -arch="x86_64 aarch64 ppc64le s390x armv7 x86" +arch="all !armhf" license="Apache-2.0" makedepends="go" options="!check" # no check available @@ -27,5 +27,5 @@ package() { } sha512sums=" -1900b5d22a20ab1f01c13832be4dcf1e9845b64afb3cdcb6169752bbb20a6e69dcbb6ccc8d31b9d4bf091bf81aa04b9979544586763ea985499f229e7ab2a39d cri-tools-1.26.1.tar.gz +7e4349fa9a0a16d27fbde363a26978fe6e65a326d29b344f13cd2b43009f12f8cdf14fd9557ac29beb913d4258160e0fa4108d40378dd1216ff631922e40392e cri-tools-1.27.1.tar.gz " diff --git a/kubezero/ecr-credential-provider/APKBUILD b/kubezero/ecr-credential-provider/APKBUILD index 91cb2eb..9aaa0cc 100644 --- a/kubezero/ecr-credential-provider/APKBUILD +++ b/kubezero/ecr-credential-provider/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Stefan Reimer # Maintainer: Stefan Reimer pkgname=ecr-credential-provider -pkgver=1.26.1 +pkgver=1.27.1 pkgrel=0 pkgdesc="AWS Kubernetes ecr-credential-provider" url="https://github.com/kubernetes/cloud-provider-aws" @@ -24,5 +24,5 @@ package() { } sha512sums=" -59ec934a93b94290b0dce830a53301957842d8d45118471bb6eaa142b06dc37ed7f32e4c4a83f1f5341b0dda6745cfa7d8ebbac6d31378e3288857808f2aef71 ecr-credential-provider-1.26.1.tar.gz +d7a28f4fb3cb2a1e7ee8d94405e3268608562af0ac509b51c32fcca19353eb68c87b023bd7dae1e84a76d9e856e4951cbc8a2260bab358d1eb492e47caedd29d ecr-credential-provider-1.27.1.tar.gz " diff --git a/kubezero/falco-kernel/APKBUILD b/kubezero/falco-kernel/APKBUILD index 3adcb13..e9a4f17 100644 --- a/kubezero/falco-kernel/APKBUILD +++ b/kubezero/falco-kernel/APKBUILD @@ -1,13 +1,16 @@ # Contributor: Stefan Reimer # Maintainer: Stefan Reimer -pkgname=falco-kernel -pkgver=0.36.2 +_flavor=lts +_extra_flavors=virt + +pkgver=0.37.1 pkgrel=0 +pkgname=falco-kernel-$_flavor pkgdesc="Falco kernel module" url="https://github.com/falcosecurity/falco" arch="x86_64 aarch64" license="AGPL-3.0" -makedepends="cmake linux-virt-dev linux-headers" +makedepends="cmake linux-$_flavor-dev linux-headers" # protobuf-dev jq-dev openssl-dev curl-dev c-ares-dev grpc-dev yaml-dev yaml-cpp-dev jsoncpp-dev re2-dev" # perl autoconf elfutils-dev libtool argp-standalone musl-fts-dev musl-libintl musl-obstack-dev" options="!check" @@ -17,34 +20,52 @@ source=" " builddir="$srcdir/falco-$pkgver" -prepare() { - [[ -d build ]] || mkdir build -} +for f in $_extra_flavors; do + makedepends="$makedepends linux-$f-dev" + subpackages="$subpackages falco-kernel-$f:_extra" +done build() { - # Hack running the build inside a container other uname -r returns host kernel - KERNEL_VERSION=$(basename $(ls -d /lib/modules/*-virt)) + for flavor in $_flavor $_extra_flavors; do + mkdir -p $srcdir/falco-$pkgver/build-$flavor - cd build - cmake .. \ - -DCMAKE_BUILD_TYPE=Release \ - -DFALCO_VERSION=$pkgver \ - -DCMAKE_INSTALL_PREFIX=/usr \ - -DUSE_BUNDLED_DEPS=On \ - -DMUSL_OPTIMIZED_BUILD=On + # Hack running the build inside a container other uname -r returns host kernel + KERNEL_VERSION=$(basename $(ls -d /lib/modules/*-"$flavor")) - KERNELDIR=/lib/modules/$KERNEL_VERSION/build make driver + cd $srcdir/falco-$pkgver/build-$flavor + cmake .. \ + -DCMAKE_BUILD_TYPE=Release \ + -DFALCO_VERSION=$pkgver \ + -DCMAKE_INSTALL_PREFIX=/usr \ + -DUSE_BUNDLED_DEPS=On \ + -DMUSL_OPTIMIZED_BUILD=On + + KERNELDIR=/lib/modules/$KERNEL_VERSION/build make driver + done +} + +_package() { + local flavor=$1 + local _out=$2 + + KERNEL_VERSION=$(basename $(ls -d /lib/modules/*-"$flavor")) + depends="linux-$flavor~$(echo $KERNEL_VERSION | sed -e 's/-.*$//')" + + cd $srcdir/falco-$pkgver/build-$flavor + mkdir -p "$_out"/lib/modules/$KERNEL_VERSION/kernel + gzip -9 -c driver/falco.ko > "$_out"/lib/modules/$KERNEL_VERSION/kernel/falco.ko.gz } package() { - KERNEL_VERSION=$(basename $(ls -d /lib/modules/*-virt)) - depends="linux-virt~$(echo $KERNEL_VERSION | sed -e 's/-.*$//')" + _package $_flavor $pkgdir +} - cd $srcdir/falco-$pkgver/build - mkdir -p "$pkgdir"/lib/modules/$KERNEL_VERSION/kernel - gzip -9 -c driver/falco.ko > "$pkgdir"/lib/modules/$KERNEL_VERSION/kernel/falco.ko.gz +_extra() { + flavor=${subpkgname##*-} + + _package $flavor $subpkgdir } sha512sums=" -dc648d9b0a625a02320ff0235bbf4f4940e7ba40c684a8a1f972d34f0a3447b4a34e665d7fbc0ee1ec9a014f65f81a304dc76b4ec804fc7b4e448f330b9474af falco-0.35.1.tar.gz +257d526c4d3eadbe2c79852221fdb8076f94e421aa66753628770ae7384137b4672064cbe1ba0a4d88d14e8a7d08e2521d5bd82a312c4b1442d8ea6fbbbb2f28 falco-0.37.1.tar.gz " diff --git a/kubezero/falco/APKBUILD b/kubezero/falco/APKBUILD index 2f5add7..00511e0 100644 --- a/kubezero/falco/APKBUILD +++ b/kubezero/falco/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Stefan Reimer # Maintainer: Stefan Reimer pkgname=falco -pkgver=0.36.2 +pkgver=0.37.1 pkgrel=0 pkgdesc="Falco is the open source solution for runtime security for hosts, containers, Kubernetes and the cloud" url="https://github.com/falcosecurity/falco" @@ -11,10 +11,16 @@ makedepends="cmake linux-headers bash perl autoconf elfutils-dev libtool argp-st musl-fts-dev musl-libintl musl-legacy-error - musl-obstack-dev - " + musl-obstack-dev " +# protobuf-dev +# c-ares-dev +# openssl-dev +# curl-dev +# grpc-dev +# yaml-cpp-dev +# " options="!check" -depends="falco-kernel~$pkgver" +#depends="falco-kernel~$pkgver" # Original config # https://raw.githubusercontent.com/falcosecurity/rules/main/rules/falco_rules.yaml @@ -40,13 +46,15 @@ build() { -DCMAKE_INSTALL_PREFIX=/usr \ -DFALCO_ETC_DIR=/etc/falco \ -DUSE_BUNDLED_DEPS=On \ + -DMINIMAL_BUILD=On \ + -DUSE_DYNAMIC_LIBELF=Off \ -DMUSL_OPTIMIZED_BUILD=On \ -DBUILD_DRIVER=Off \ -DBUILD_BPF=Off \ -DBUILD_LIBSCAP_MODERN_BPF=Off \ .. - make falco + make falco || bash } package() { @@ -65,7 +73,7 @@ package() { } sha512sums=" -a3fef235ab4f3121bd0400827712652530ec417498c44ada8b6bf565f7631d035673b53dad94ea6ae9c854d45202ed71b2771f19e0c92eea3fc3503e5b75b02e falco-0.36.2.tar.gz +257d526c4d3eadbe2c79852221fdb8076f94e421aa66753628770ae7384137b4672064cbe1ba0a4d88d14e8a7d08e2521d5bd82a312c4b1442d8ea6fbbbb2f28 falco-0.37.1.tar.gz b152fcf6cd81895efa37797ab7ff1aac7350b5f51f2648aa9e3cce9d5ece55791ddf82c396e9da216293e2379a785a294cc972f28a91162dc5bc88ab09e1ab08 falco.patch 487b8b64d2399fd7b706be29e3722983bcdfde3ab5cf0f78b2e9fe1055a4ad958976f591e739491e25a06d7cdf6894c1e153e892a87b83c7a962e23c9a104528 rules.patch " diff --git a/kubezero/fluent-bit/APKBUILD b/kubezero/fluent-bit/APKBUILD index 515fcd3..ebfd9ce 100644 --- a/kubezero/fluent-bit/APKBUILD +++ b/kubezero/fluent-bit/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Stefan Reimer # Maintainer: Stefan Reimer pkgname=fluent-bit -pkgver=2.1.10 +pkgver=2.2.2 pkgrel=0 pkgdesc="Fast and Lightweight Log processor and forwarder" url="https://fluentbit.io/" @@ -101,9 +101,9 @@ package() { } sha512sums=" -55caefa81cdeaf293b727829383c6eaa75bc2f8b8c61ebe15e1478c66033921fde6e50c39fc8c39a7d2d93d03892f709daf4d1b6caacf586133de5268de10299 fluent-bit-2.1.10.tar.gz +681c1db0256d0b50d986194597b700f790726a1394b3ad92c92a26c95d04bf2b65203e94ef2aeb0f0b3403870748ec0ebbec2cd49548857fbadc5c745581452f fluent-bit-2.2.2.tar.gz f6431397c80a036980b5377b51e38aec25dfceeb8dbe4cd54dce1f6e77d669d9f8daf983fcc96d25332385888f1809ced5e8ab0e8ccfcd93d19494036e3dc949 fluent-bit.confd -e17bad6abd597da620fdb930e3f18612a828dd956abf87ce850e2660b83db4d9ab7d373ab3a9bf1d07f605b5077998234ce4774007c0197cfbfdad465ca6b47a fluent-bit.initd +8ba6c8e84dee90176f9b4375fb2c6444fa5d32fa601d9bcf3ea7960fec87f1ef664f175caf08bd0b052843e971efdbf08e2a5cd180ad9a8f23ff2c5cb233814f fluent-bit.initd 6bd7d8b4da93a17f29b6ea1e0286ea226d0e376024284741110936779b3229bd8d6cd03ffbdc5d3b4842294e7f32a888de0dd16b0851b65d91b062ca58530ea0 chunkio-static-lib-fts.patch e3308a8377fb8ba496415b7a31e9e022e5aa9965d27a0c33ea5166a29049b72cb364bbcdf9d8611ef3407b0968f9bd4adff12cdb39728bbebd382710e5bc75d0 exclude-luajit.patch d61f30344af997f126486fa5b34cd3fbfe88bfc9aea394a8c60d0206f4db8db998eadf637a3a581b89512411c1e7980c414e236e455d5e2b889d20a556ee6577 xsi-strerror.patch diff --git a/kubezero/fluent-bit/fluent-bit.initd b/kubezero/fluent-bit/fluent-bit.initd index f0e5871..e1059d8 100644 --- a/kubezero/fluent-bit/fluent-bit.initd +++ b/kubezero/fluent-bit/fluent-bit.initd @@ -7,5 +7,5 @@ command_args="$fluentbit_opts" depend() { need net - after firewall cloudbender + after firewall } diff --git a/kubezero/kubernetes/APKBUILD b/kubezero/kubernetes/APKBUILD index f2e8334..030d74d 100644 --- a/kubezero/kubernetes/APKBUILD +++ b/kubezero/kubernetes/APKBUILD @@ -5,12 +5,11 @@ # Contributor: Dave # Maintainer: Stefan Reimer pkgname=kubernetes -pkgver=1.26.8 +pkgver=1.27.8 pkgrel=0 pkgdesc="Container Cluster Manager" url="https://kubernetes.io/" -# ppc64le: failed to build -arch="x86_64 aarch64 armv7 x86" +arch="all !armhf !riscv64" license="Apache-2.0" options="!check chmod-clean net" # Tests hang @@ -72,18 +71,16 @@ _services="kube-apiserver kube-controller-manager kube-proxy kube-scheduler" export GOCACHE="${GOCACHE:-"$srcdir/go-cache"}" export GOTMPDIR="${GOTMPDIR:-"$srcdir"}" export GOMODCACHE="${GOMODCACHE:-"$srcdir/go"}" -export FORCE_HOST_GO="y" build() { - hack/update-codegen.sh for _pkgs in $_agent $_cli $_services ; do - make -j1 GOFLAGS="-buildmode=pie -v -tags=providerless" GOLDFLAGS="-extldflags=-static" WHAT=cmd/$_pkgs + make -j1 GOFLAGS="$GOFLAGS -buildmode=pie -v -tags=providerless" GOLDFLAGS="-extldflags=-static" WHAT=cmd/$_pkgs done } package() { for bin in $_agent $_cli $_services; do - install -Dm755 _output/local/bin/linux/*/$bin "$pkgdir"/usr/bin/$bin + install -Dm755 _output/local/go/bin/$bin "$pkgdir"/usr/bin/$bin done mkdir -p "$pkgdir"/etc/kubernetes } @@ -208,7 +205,7 @@ _do_zshcomp() { } sha512sums=" -38649d4c8a85e236a8ceffe5bba5146cf1a4eb9191534707dd39443303f99d830e95dc4e9be0febfb2a8bd4d0b57f13b5cb883b51fea57306f1f2ceff2052d69 kubernetes-1.26.8.tar.gz +ddc14d21ba470d24d115de67cdb801c742f04124101ff0e2741170971fdf6bcf0a75ef82807d63394dd8b06dc186a86cccf93a7aab4f9e49b922b981ce5ed8aa kubernetes-1.27.8.tar.gz 5427c2e653504cfd5b0bcaf195d4734ee40947ddfebc9f155cd96dddccfc27692c29d94af4ac99f1018925b52995c593b584c5d7a82df2f185ebce1a9e463c40 make-e2e_node-run-over-distro-bins.patch 94d07edfe7ca52b12e85dd9e29f4c9edcd144abc8d120fb71e2a0507f064afd4bac5dde30da7673a35bdd842b79a4770a03a1f3946bfae361c01dd4dc4903c64 make-test-cmd-run-over-hyperkube-based-kubectl.patch e690daff2adb1013c92124f32e71f8ed9a18c611ae6ae5fcb5ce9674768dbf9d911a05d7e4028488cda886e63b82e8ac0606d14389a05844c1b5538a33dd09d1 kube-apiserver.initd @@ -223,7 +220,7 @@ d7e022ee22da191bda7382f87cb293d9c9d115a3df0c2054bf918279eb866f99c6d5c21e4c98eae8 561bef5633ba4b9021720624443d9c279a561e5fabea76e5d0fbee2e7ad8999029a2511a45895fbec8448026212a3c5b4c197b248a6afa7f8bd945f705524ea7 kube-scheduler.initd af88b382ab75657d0ff13c3f8f6d924cef9f2df7807a9a27daa63495981801bc4b607998f65c0758c11a7e070e43c24f7184ba7720711109c74b1c4d57919e34 kube-scheduler.confd 3692da349dd6ed0f5acc09d7b95ac562ffecb103e2270bebdfe4a7808d48dada9d2debff262d85b11c47f9ca3f0c20000712d03629ed813ff08a3e02d69267e6 kube-scheduler.logrotated -7cb03bde52820c3ce8b10df1a16cf0b46b39d185e01b4d312400f70bba5875992ec71166539d3820cf59ddbabeb48dec7ae8185820646fae3f851c4cd144fe69 kubelet.initd +372cdf2fbb24a229ed7b3450b54197c006928cb8d2fd756f2713e1e6961849c7aaa35b20b14fb75d1a12ef1e35258048738aa22b5f9783af8fa0a31dfd1b5bbd kubelet.initd 44eb973de8ee8e0c5a77d76ab0e105fe0ae892be1ff86c238a5449b43f83cab6f844575b6c3218f08c5ff077e9f828f5aef72425c1d77546cce2e0136e8a8da8 kubelet.confd 941f4a7579dcf78da2d323ac69195e95eba6600e6fcefe9231447f11c9867a7aa57b4189ee1fefb10eab19c89665ea2e7696b539c92e99fbcde905d2ff85be58 kubelet.logrotated " diff --git a/kubezero/kubernetes/kubelet.initd b/kubezero/kubernetes/kubelet.initd index 1c20029..e17c404 100755 --- a/kubezero/kubernetes/kubelet.initd +++ b/kubezero/kubernetes/kubelet.initd @@ -24,5 +24,6 @@ pidfile="${KUBELET_PIDFILE:-/run/${RC_SVCNAME}.pid}" depend() { after net cloudbender - need cgroups crio + need cgroups + want containerd crio } diff --git a/kubezero/kubezero/APKBUILD b/kubezero/kubezero/APKBUILD index f9c9f5e..0b6dd9a 100644 --- a/kubezero/kubezero/APKBUILD +++ b/kubezero/kubezero/APKBUILD @@ -1,11 +1,11 @@ # Contributor: Stefan Reimer # Maintainer: Stefan Reimer pkgname=kubezero -pkgver=1.26 +pkgver=1.27 pkgrel=0 pkgdesc="KubeZero release package" url="https://git.zero-downtime.net/ZeroDownTime/alpine-overlay/src/branch/master/kubezero/kubezero" -arch="noarch" +arch="x86_64" license="AGPL-3.0" depends=" podman @@ -15,7 +15,7 @@ depends=" kubelet~$pkgver kubectl~$pkgver ecr-credential-provider~$pkgver - aws-iam-authenticator~0.6.10 + aws-iam-authenticator~0.6.11 " options="!check" #install="$pkgname.post-install" @@ -24,20 +24,26 @@ subpackages=" $pkgname-imagecache " +IMAGES=" + quay.io/cilium/cilium:v1.14.4 + ghcr.io/k8snetworkplumbingwg/multus-cni:v3.9.3 + " + +#multus_version="4.0.2" + source=" shared-sys-fs.start evictLocalNode.sh credential-provider.yaml kubelet.monit + crio.monit crio.conf " + #multus-"$multus_version".tar.gz::https://github.com/k8snetworkplumbingwg/multus-cni/releases/download/v"$multus_version"/multus-cni_"$multus_version"_linux_amd64.tar.gz -IMAGES=" - quay.io/cilium/cilium:v1.13.5 - ghcr.io/k8snetworkplumbingwg/multus-cni:v3.9.3 - " - +# get multus and cilium binaries and drop them in /usr/libexec/cni build() { + # pre loaded images for i in $IMAGES; do IMAGE_NAME=$(echo $i | sed -e 's/.*\///' -e 's/:.*//') podman --storage-driver vfs pull $i @@ -52,10 +58,15 @@ package() { mkdir -p $pkgdir/etc/kubernetes/manifests install -Dm644 "$srcdir"/credential-provider.yaml "$pkgdir/etc/kubernetes/credential-provider.yaml" - install -Dm644 "$srcdir"/kubelet.monit "$pkgdir/etc/monit.d/kubelet.conf" - # crio settings install -Dm644 "$srcdir"/crio.conf "$pkgdir/etc/crio/crio.conf.d/01-kubezero.conf" + + # monit + install -Dm644 "$srcdir"/kubelet.monit "$pkgdir/etc/monit.d/kubelet.conf" + install -Dm644 "$srcdir"/crio.monit "$pkgdir/etc/monit.d/crio.conf" + + # multus + #install -Dm755 "$srcdir"/multus-cni_"$multus_version"_linux_amd64/multus $pkgdir/usr/libexec/cni/multus } # Preload container images all nodes need to speed up boot time and reduce data transfer @@ -71,7 +82,8 @@ imagecache() { sha512sums=" ecb33fc3a0ffc378723624858002f9f5e180e851b55b98ab6611ecc6a73d4719bc7de240f87683fc58de8bf577059e6f19b417655b5301ef8c32deff67a29dff shared-sys-fs.start fce1013f7b1bfa8ee526de62e642a37fda3168889723e873d3fb69e257f4caa1423b5a14b9343b12a87f3b6f93c7d3861b854efda67ef2d6a42a5ca8cf3d1593 evictLocalNode.sh -716ec3404d7016bce57d663f750a18db3ede07c1ba7a2908f9f01f41c5ca8fe4e7232ded27bc2bccd705b11ae5cd26574322a8eacefcf8c102bba0f8e4995e59 credential-provider.yaml +92499ec9a8b3634c42b16c01d27f1c1bb650bcc074a2c8d9d16cfe2ea08942948989c6aae79bd2df562ff17df11bbc329e0971f15c4e64f944457825dee7aa79 credential-provider.yaml 8b81eb0fb66e6a739965db6af6a31c443e8f612c06146bd51107372abd833b527423299ee11b27e011f46cfbee11415234b3fa0dea695dbbb06711e0ad58f08d kubelet.monit +e801df9ede6065395db75154735ca9368882d4225452a33f2b54b98cd0c4f3ceb730762d8745c6aea350a3a50a1df0c79ab46f422f94e9a40e621528e9d82055 crio.monit 064fc245b7ffd67834a2f5fd13cb0bcb5f4a5caf79b8113b3669bf1d0e1a4af2042e69f8f496991de76d621fd01bc7e67de37c59f034584d12622c6af96376ff crio.conf " diff --git a/kubezero/kubezero/credential-provider.yaml b/kubezero/kubezero/credential-provider.yaml index 7ab0dca..67cbfdc 100644 --- a/kubezero/kubezero/credential-provider.yaml +++ b/kubezero/kubezero/credential-provider.yaml @@ -1,4 +1,4 @@ -apiVersion: kubelet.config.k8s.io/v1alpha1 +apiVersion: kubelet.config.k8s.io/v1 kind: CredentialProviderConfig providers: - name: ecr-credential-provider @@ -9,4 +9,4 @@ providers: - "*.dkr.ecr.us-iso-east-1.c2s.ic.gov" - "*.dkr.ecr.us-isob-east-1.sc2s.sgov.gov" defaultCacheDuration: "12h" - apiVersion: credentialprovider.kubelet.k8s.io/v1alpha1 + apiVersion: credentialprovider.kubelet.k8s.io/v1 diff --git a/kubezero/kubezero/crio.monit b/kubezero/kubezero/crio.monit new file mode 100644 index 0000000..c0eec96 --- /dev/null +++ b/kubezero/kubezero/crio.monit @@ -0,0 +1,4 @@ +check process crio pidfile /run/crio.pid + start program = "/sbin/rc-service crio start" + stop program = "/sbin/rc-service crio stop" + restart program = "/sbin/rc-service crio restart" diff --git a/kubezero/zdt-base/APKBUILD b/kubezero/zdt-base/APKBUILD index 30515eb..191c345 100644 --- a/kubezero/zdt-base/APKBUILD +++ b/kubezero/zdt-base/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Stefan Reimer # Maintainer: Stefan Reimer pkgname=zdt-base -pkgver=0.3.18 +pkgver=0.3.19 pkgrel=0 pkgdesc="ZeroDownTime Alpine additions and customizations" url="https://git.zero-downtime.net/ZeroDownTime/alpine-overlay/src/branch/master/kubezero/zdt-base" @@ -31,6 +31,7 @@ source=" route53.py get_iam_sshkeys.py uniq_hostname.py + write_parameters.py " build() { @@ -83,19 +84,20 @@ aws() { install -Dm755 "$srcdir"/route53.py "$subpkgdir"/usr/sbin/route53.py install -Dm755 "$srcdir"/uniq_hostname.py "$subpkgdir"/usr/sbin/uniq_hostname.py install -Dm755 "$srcdir"/get_iam_sshkeys.py "$subpkgdir"/usr/sbin/get_iam_sshkeys.py + install -Dm755 "$srcdir"/write_parameters.py "$subpkgdir"/usr/sbin/write_parameters.py # Cloudbender SNS integration install -Dm755 "$srcdir"/monit_alert.sh.aws "$pkgdir"/usr/bin/monit_alert.sh } sha512sums=" -a870cc7657757770fb573a0fb5df61887d1b9d2a6a57b3ee8be93a7dfb34df6a1d489cd5572ab273dfe896b97faad7e7479571f993a3e13cfefe24c4720bcbf4 common.sh +2ddef702aae2783335c8b2836daa00a279d253c33b27170a0979d283d06d7ac666750fa026d2d2eed5759e7d6fd54ea898971fabe1e343ee1d09ffed42cf6355 common.sh 7f6a69a77d6a4a3c34928609108b7939cd43a892d72fb14bebc1d935cd66eda3bd625d15eebb4d6026715b36b12919fcaf863ed5f65ffdc0e2de9fc1b969cb3e boot.sh -ee19dcc0b46bdff8581c2661cda69fd8a3fa2de4dd30d96a4ce438b2536043a9f0bc57a6b0d4056e2715a2663a89bc1b07ec33798d5430a2046a65069a327cda cloudbender-early.init -df610d896c6b2821925df8d65ab44a0008b31e5b738172076234ae7645e8ef7e25d710c43f9b3999fb3f0303ccd81b57327c2e7694e1fc3f790abdbc77e0a097 cloudbender.init -b9479835d8667fa99f8b1b140f969f0464a9bb3c60c7d19b57e306cfe82357d453932791e446caded71fddd379161ae8328367f1ee75ae3afc1b85e12294b621 zdt-sysctl.conf +eb7d5b6f92f500dbaba04a915cdd8d66e90456ca86bed86b3a9243f0c25577a9aa42c2ba28c3cad9dda6e6f2d14363411d78eff35656c7c60a6a8646f43dcba5 cloudbender-early.init +336a211e6708432f185c911d0c990209c5af79f289d5cc331e0542e258e0309616e1386efd660d5439928562feaf3559970f66e950f9ce6e5aaf20c334596143 cloudbender.init +06102e56c847637f705d0b29b05b07fbbb2bda9ba69f0a7fe1d716126d3b1c7922fb0df159199809908fa0dc143209775edb1dd5976faa84244dbcaa45f00364 zdt-sysctl.conf 76e6a4f309f31bfa07de2d3b1faebe5670722752e18157b69d6e868cbe9e85eda393aed0728b0347a01a810eee442844c78259f86ff71e3136a013f4cbfaaea4 ps_mem.py -5376f4bf8356ce9249c45e78085073245181e8742c7b4be47c71dcd97a611ae125a7dfd3060502bdd591560af070334f89fe60dbc09c008926149c538ab0560a syslog-ng.conf +44b2dcf90709a51e4d804d4bb22eb866aa678089647b33b253a48fe29861e4ae85312b23f8a7ab8a20ed184bd6f341e9b919f3d1586f1c0d9c350b8206b29e04 syslog-ng.conf 484bdcf001b71ce5feed26935db437c613c059790b99f3f5a3e788b129f3e22ba096843585309993446a88c0ab5d60fd0fa530ef3cfb6de1fd34ffc828172329 syslog-ng.logrotate.conf e86eed7dd2f4507b04050b869927b471e8de26bc7d97e7064850478323380a0580a92de302509901ea531d6e3fa79afcbf24997ef13cd0496bb3ee719ad674ee syslog-ng.apparmor f8c052c7ec12c71937c7b8bc05d8374c588f345e303b30eda9c8612dff8f8f34a87a433648a3e9b85b278196ece198533b29680a303ff6478171d43f8e095189 dhcpcd-mtu.hook @@ -107,4 +109,5 @@ c3e72cd92936b03f2b9eab5e97e9a12fcddcdf2c943342e42e7702e2d2407e00859c62dc9b4de337 816049360aa442f9e9aa4d6525795913cfe3dc7c6c14dc4ccad59c0880500f9d42f198edc442fe036bc84ba2690d9c5bc8ae622341d8276b3f14947db6b879b1 route53.py 7da28446762a36a6737c5b30becbce78775bd943b4d0c5ef938a50f49b4f51f66708434aa79004c19d16c56c83f54c8d6d68e1502ebc250c73f8aae12bed83c0 get_iam_sshkeys.py ae1941fc45e61fa8d211f5ef7eff2dd01510a6d364c4302cab267812321a10e7434ecc8d8c9263d8671ce5604d04d6531601bf42886a55fb6aec7f321651e1dc uniq_hostname.py +ee4264337d86ad99ba6cf9ec3017986c804ac208c0beb5fc8651345bd277bb6de03e7c3a8c1b751767647be48f9d45ac47a7d14cf040d9c827780984394e826d write_parameters.py " diff --git a/kubezero/zdt-base/cloudbender-early.init b/kubezero/zdt-base/cloudbender-early.init index bd73521..84b6904 100755 --- a/kubezero/zdt-base/cloudbender-early.init +++ b/kubezero/zdt-base/cloudbender-early.init @@ -1,7 +1,8 @@ #!/sbin/openrc-run # vim:set ts=8 noet ft=sh: -description="CloudBender early tasks (no network / metadata available yet)" +# no network / metadata available yet +description="CloudBender early tasks" depend() { need fsck root diff --git a/kubezero/zdt-base/cloudbender.init b/kubezero/zdt-base/cloudbender.init index 5917658..4478125 100755 --- a/kubezero/zdt-base/cloudbender.init +++ b/kubezero/zdt-base/cloudbender.init @@ -13,6 +13,8 @@ depend() { start() { source /usr/lib/cloudbender/common.sh + ebegin "CloudBender" + get_meta_data import_meta_data @@ -34,6 +36,7 @@ start() { register_service_dns + is_enabled $PROMETHEUS_ENABLED && setup_prometheus $PROMETHEUS_ALLOW is_enabled $LOGGING_ENABLED && setup_fluentbit $LOGGING_HOST # cleanup previous reboot logs @@ -50,7 +53,7 @@ stop() { unmount_volumes "$VOLUMES" - [ -n "$DEBUG" ] && [ -r /tmp/shutdown.log ] && SHUTDOWNLOG="$(cat /tmp/shutdown.log)" + is_enabled $ZDT_CLOUDBENDER_DEBUG && [ -r /tmp/shutdown.log ] && SHUTDOWNLOG="$(cat /tmp/shutdown.log)" [ -n "$RC_REBOOT" ] && ACTION="rebooting" || ACTION="terminated" [ -z "$DISABLE_SCALING_EVENTS" ] && /var/lib/cloud/sns_alarm.sh "Instance $ACTION" "" Info "$SHUTDOWNLOG" diff --git a/kubezero/zdt-base/common.sh b/kubezero/zdt-base/common.sh index bc2c2ab..18396e1 100644 --- a/kubezero/zdt-base/common.sh +++ b/kubezero/zdt-base/common.sh @@ -10,6 +10,17 @@ _imds() { "http://$IMDS_ENDPOINT/$IMDS_URI/$1$IMDS_QUERY" } +# boolean flags +is_enabled() { + local flag=$(echo "$1" | tr '[:upper:]' '[:lower:]') + + [ "$flag" == 1 -o "$flag" == "true" ] && return 0 + [ "$flag" == 0 -o "$flag" == "false" -o "$flag" == "none" -o -z "$flag" ] && return 1 + + log -t user-data warn "Unknown value for boolean option: $flag - assuming False" + return 1 +} + # Todo: This should go into a yaml file query_imds() { MAC=$(_imds meta-data/mac) @@ -71,12 +82,8 @@ import_meta_data() { export AWS_DEFAULT_REGION=$REGION export AWS_DEFAULT_OUTPUT=text - # some basic logic - if [ "$DEBUG" == "None" -o "$DEBUG" == "False" ]; then - unset DEBUG - - LAUNCH_HOOK="CloudBenderLaunchHook" - fi + # Enabled LaunchHooks if not DEBUG + is_enabled $ZDT_CLOUDBENDER_DEBUG || LAUNCH_HOOK="CloudBenderLaunchHook" # Workaround for current CFN ASG_ hack _key=$(echo $AWS_CLOUDFORMATION_LOGICAL_ID | tr '[:lower:]' '[:upper:]') @@ -102,14 +109,14 @@ setup_instance() { add_once /etc/hosts "${IP_ADDRESS} ${_META_HOSTNAME} ${HOSTNAME}" - # Set system wide default region for boto3 - echo "export AWS_DEFAULT_REGION=$REGION" > /etc/profile.d/aws.sh - # workaround for dhcpcd / openresolv to omit search domain if equal to domain breaking DNS resolution of shortnames for eg. etcd and kube-apiserver add_once /etc/resolv.conf "search $DOMAIN_NAME" case "$CLOUD" in aws) + # Set system wide default region for boto3 + echo "export AWS_DEFAULT_REGION=$REGION" > /etc/profile.d/aws.sh + setup_sns_alarms ;; *) @@ -139,7 +146,7 @@ configure_sshd() { sed -i -e 's,^[\s#]*AuthorizedKeysCommand\s.*,AuthorizedKeysCommand /usr/sbin/get_iam_sshkeys.py --user %u --group '$group' --iamRole "'$role'",' /etc/ssh/sshd_config sed -i -e 's,^[\s#]*AuthorizedKeysCommandUser\s.*,AuthorizedKeysCommandUser nobody,' /etc/ssh/sshd_config - ebegin "added $group to SSH admin keys" + einfo "added $group to SSH admin keys" fi ;; *) @@ -294,7 +301,7 @@ mount_volumes() { mkdir -p $volPath mount -t xfs -o noatime $volDevice $volPath - ebegin "mounting $volDevice at $volPath" + einfo "mounting $volDevice at $volPath" done } @@ -311,17 +318,6 @@ unmount_volumes() { # msg used for sns event, last one wins msg() { MSG="$@"; log -t user-data info "$@"; } -# boolean flags -is_enabled() { - local flag=$(echo "$1" | tr '[:upper:]' '[:lower:]') - - [ "$flag" == 1 -o "$flag" == "true" ] && return 0 - [ "$flag" == 0 -o "$flag" == "false" -o -z "$flag" ] && return 1 - - log -t user-data warn "Unknown value for boolean option: $flag - assuming False" - return 1 -} - # Generic retry command wrapper, incl. timeout of 30s # $1 = number of tries; 0 = forever # $2 = number of seconds to sleep between tries @@ -373,6 +369,29 @@ asg_heartbeat() { [ -n "$LAUNCH_HOOK" ] && aws autoscaling record-lifecycle-action-heartbeat --instance-id $INSTANCE_ID --lifecycle-hook-name $LAUNCH_HOOK --auto-scaling-group-name $AWS_AUTOSCALING_GROUPNAME || true } +# upload various useful logs to s3 if configured +upload_debug_logs(){ + [ -z $ZDT_CLOUDBENDER_DEBUG_REMOTELOGS ] && return 0 + + local s3Url="$ZDT_CLOUDBENDER_DEBUG_REMOTELOGS/$INSTANCE_ID/$(date +'%Y%m%d-%H%M%Z')" + local _tmp=$(mktemp -d) + + ps -ef > ${_tmp}/process.list + cp /var/log/messages \ + /var/log/rc.log \ + /var/log/user-data.log \ + /etc/cloudbender.conf \ + /var/lib/cloud/meta-data \ + /var/log/kubelet/kubelet.log \ + /var/log/crio/crio.log \ + $_tmp + + tar cfz /tmp/debuglogs.tgz -C $_tmp . + aws s3 cp /tmp/debuglogs.tgz $s3Url/debuglogs.tgz + + return 0 +} + setup_sns_alarms() { # store SNS message json template cat < /var/lib/cloud/sns_alarm.json @@ -434,7 +453,7 @@ exit_trap() { MSG="$ERR_CMD" fi - if [ -n "$DEBUG" ]; then + if [ -n "$ZDT_CLOUDBENDER_DEBUG" ]; then SUBJECT="$SUBJECT Instance kept running for debug." else SUBJECT="$SUBJECT Instance terminated by ASG lifecycle hook." @@ -462,8 +481,10 @@ exit_trap() { end_uptime=$(awk '{print $1}' < /proc/uptime) log -t user-data info "Exiting user-data. Duration: $(echo "$end_uptime-$start_uptime" | bc) seconds" - # Shutdown / poweroff if we ran into error and not DEBUG - [ $ERR_CODE -ne 0 -a -z "$DEBUG" ] && poweroff + # if we ran into error, either upload debug files or poweroff + if [ $ERR_CODE -ne 0 ]; then + is_enabled $ZDT_CLOUDBENDER_DEBUG && upload_debug_logs || poweroff + fi exit 0 } @@ -575,6 +596,8 @@ EOF # Short cut our public IP to private one to allow talking to our own service name add_once /etc/hosts "${IP_ADDRESS} ${SERVICENAME}.${DNSZONE}" + + log -t user-data info "Registered $_IP with ${SERVICENAME}.$DNSZONE" fi } @@ -646,17 +669,17 @@ register_routes() { } -setup_nat() { - local mode=$1 +setup_prometheus() { + rc-update add node-exporter default + rc-service node-exporter start - # Masquerade all outgoing traffic - iptables -t nat -A POSTROUTING -o $DEFAULT_GW_INTERFACE -s ${VPC_CIDR_RANGE} -j MASQUERADE + log -t user-data info "Enabled and started Prometheus node-exporter" } setup_fluentbit() { local key="cloudbender" - local host="$1" + local host="${1:-fluentd}" if [[ "$host" =~ "@" ]]; then key=${host%%@*} @@ -693,4 +716,9 @@ EOF ## TODO: # Add parameter parsing for custom logfile tailing + + rc-update add fluent-bit default + rc-service fluent-bit start + + log -t user-data info "Enabled and started fluent-bit logging agent sending logs to $host" } diff --git a/kubezero/zdt-base/syslog-ng.conf b/kubezero/zdt-base/syslog-ng.conf index 2a537e3..6fc6e83 100644 --- a/kubezero/zdt-base/syslog-ng.conf +++ b/kubezero/zdt-base/syslog-ng.conf @@ -1,7 +1,7 @@ # syslog-ng, format all json into messages # https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.23/administration-guide/63#TOPIC-1268643 -@version: 4.1 +@version: 4.5 @include "scl.conf" options { chain_hostnames(off); flush_lines(0); use_dns(no); use_fqdn(no); @@ -15,8 +15,9 @@ destination d_mesg { file("/var/log/messages" template("$(format-json time=\"$UN # filter ipvs loggging each SYN to closed port # IPVS: rr: TCP 10.52.82.199:31021 - no destination available -filter f_drop_ipvs { not (facility(kern) and match("IPVS: rr:.*no destination available" value("MESSAGE"))); }; +# filter f_drop_ipvs { not (facility(kern) and match("IPVS: rr:.*no destination available" value("MESSAGE"))); }; # "message":"net_ratelimit: 16 callbacks suppressed" -filter f_drop_ipvs_ratelimit { not (facility(kern) and match("net_ratelimit:.*callbacks suppressed" value("MESSAGE"))); }; +# filter f_drop_ipvs_ratelimit { not (facility(kern) and match("net_ratelimit:.*callbacks suppressed" value("MESSAGE"))); }; +# log { source(s_sys); filter(f_drop_ipvs); filter(f_drop_ipvs_ratelimit); destination(d_mesg); }; -log { source(s_sys); filter(f_drop_ipvs); filter(f_drop_ipvs_ratelimit); destination(d_mesg); }; +log { source(s_sys); destination(d_mesg); }; diff --git a/kubezero/zdt-base/write_parameters.py b/kubezero/zdt-base/write_parameters.py new file mode 100644 index 0000000..9054355 --- /dev/null +++ b/kubezero/zdt-base/write_parameters.py @@ -0,0 +1,63 @@ +#!/usr/bin/python3 +import os +import boto3 +import argparse + +parser = argparse.ArgumentParser( + description="Get SSM parameters beyond and write to files") +parser.add_argument( + "--path", + dest="path", + action="store", + required=True, + help="SSM parameter path") +parser.add_argument( + "--root", + dest="root", + action="store", + required=True, + help="root filesystem path to create files") + +args = parser.parse_args() + + +session = boto3.Session() +awsSSMClient = session.client('ssm') + + +def get_parameters_by_path(nextToken=None): + params = { + 'Path': args.path, + 'Recursive': True, + 'WithDecryption': True + } + if nextToken is not None: + params['NextToken'] = nextToken + return awsSSMClient.get_parameters_by_path(**params) + + +def getParameters(): + nextToken = None + while True: + response = get_parameters_by_path(nextToken) + parameters = response['Parameters'] + if len(parameters) == 0: + break + for parameter in parameters: + yield parameter + if 'NextToken' not in response: + break + nextToken = response['NextToken'] + + +for parameter in getParameters(): + file_name = os.path.join( + args.root, parameter["Name"].removeprefix( + args.path).lstrip("/")) + + os.makedirs(os.path.dirname(file_name), mode=0o755, exist_ok=True) + + #print(f'{file_name}={parameter["Value"]}') + + with open(file_name, "w") as file: + file.write(parameter["Value"]) diff --git a/kubezero/zdt-base/zdt-sysctl.conf b/kubezero/zdt-base/zdt-sysctl.conf index c61ef3b..78d208d 100644 --- a/kubezero/zdt-base/zdt-sysctl.conf +++ b/kubezero/zdt-base/zdt-sysctl.conf @@ -13,3 +13,4 @@ net.ipv4.ip_forward_use_pmtu = 0 kernel.panic = 10 kernel.panic_on_oops = 1 vm.oom_dump_tasks = 0 +vm.max_map_count=262144