-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
*: use podman instead of docker #207
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,7 +4,7 @@ set -e | |
echo "Rendering Kubernetes core manifests..." | ||
|
||
# shellcheck disable=SC2154 | ||
/usr/bin/docker run \ | ||
/usr/bin/podman run \ | ||
--volume "$PWD:/assets:z" \ | ||
--volume /etc/kubernetes:/etc/kubernetes:z \ | ||
"${kube_core_renderer_image}" \ | ||
|
@@ -14,7 +14,7 @@ echo "Rendering Kubernetes core manifests..." | |
echo "Rendering TNC manifests..." | ||
|
||
# shellcheck disable=SC2154 | ||
/usr/bin/docker run \ | ||
/usr/bin/podman run \ | ||
--user 0 \ | ||
--volume "$PWD:/assets:z" \ | ||
"${tnc_operator_image}" \ | ||
|
@@ -29,14 +29,13 @@ cp "$PWD/tnc-bootstrap/tectonic-node-controller-config.yaml" /etc/kubernetes/tnc | |
# We originally wanted to run the etcd cert signer as | ||
# a static pod, but kubelet could't remove static pod | ||
# when API server is not up, so we have to run this as | ||
# docker container. | ||
# podman container. | ||
# See https://github.com/kubernetes/kubernetes/issues/43292 | ||
|
||
echo "Starting etcd certificate signer..." | ||
|
||
# shellcheck disable=SC2154 | ||
SIGNER=$(/usr/bin/docker run -d \ | ||
--tmpfs /tmp \ | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. i think this was basically for security so that the keys/cert never hit the disk |
||
SIGNER=$(/usr/bin/podman run -d \ | ||
--volume /opt/tectonic/tls:/opt/tectonic/tls:ro,z \ | ||
--network host \ | ||
"${etcd_cert_signer_image}" \ | ||
|
@@ -57,8 +56,9 @@ i=0 | |
while true; do | ||
set +e | ||
# shellcheck disable=SC2154,SC2086 | ||
/usr/bin/docker run \ | ||
/usr/bin/podman run \ | ||
--rm \ | ||
--network host \ | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Can you explain why you need this? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It wasn't able to access the outside network without. I thought I heard that this was expected behavior with podman (though, I don't know where I heard that). There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. this should have worked.... There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. podman should work fine without requiring --network=host. What version of podman were you testing with? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @rhatdan There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
If this is a known issue with an upstream fix, we may be able to drop this after #253 takes us up to RHCOS 4.0.5595-1 with: $ curl -s http://aos-ostree.rhev-ci-vms.eng.rdu2.redhat.com/rhcos/images/cloud/4.0.5595-1/pkglist.txt | grep podman
podman-0.8.5-2.gitdc5a711.el7.x86_64 Thank you openshift/os#288 :). |
||
--name etcdctl \ | ||
--env ETCDCTL_API=3 \ | ||
--volume /opt/tectonic/tls:/opt/tectonic/tls:ro,z \ | ||
|
@@ -86,15 +86,15 @@ done | |
|
||
echo "etcd cluster up. Killing etcd certificate signer..." | ||
|
||
/usr/bin/docker kill "$SIGNER" | ||
/usr/bin/podman kill "$SIGNER" | ||
rm /etc/kubernetes/manifests/tectonic-node-controller-pod.yaml | ||
|
||
cp -r "$PWD/bootstrap-configs" /etc/kubernetes/bootstrap-configs | ||
|
||
echo "Starting bootkube..." | ||
|
||
# shellcheck disable=SC2154 | ||
/usr/bin/docker run \ | ||
/usr/bin/podman run \ | ||
--volume "$PWD:/assets:z" \ | ||
--volume /etc/kubernetes:/etc/kubernetes:z \ | ||
--network=host \ | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This breaks Container Linux, no? I'll launch the smoke tests to see... [edit: @crawford already launched them :)]
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep. We'll need to remove CL support before we can merge this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
#221 is ready to go (once openshift/release#1317 merges).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ashcrow can you also update bootkube.service so that it no longer depends on
docker.service
?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure. Will update shortly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⬆️