From 61b01908933fd59f60e90ec4593091695b5a9a6b Mon Sep 17 00:00:00 2001 From: Akihiro Suda Date: Sat, 26 Aug 2023 14:15:10 +0900 Subject: [PATCH] [WIP] Usernetes Gen2: depends on Rootless Docker on hosts Fix issue 286 TODO: - multi-node - data persistency Signed-off-by: Akihiro Suda --- .cirrus.yml | 46 -- .dockerignore | 2 +- .github/workflows/ghcr.yaml | 39 -- .github/workflows/main.yaml | 64 ++- .github/workflows/release.yaml | 46 -- .gitignore | 7 +- Dockerfile | 216 +------- Makefile | 95 ++-- README.md | 406 ++------------- Vagrantfile | 34 -- boot/containerd-fuse-overlayfs-grpc.sh | 11 - boot/containerd.sh | 35 -- boot/crio.sh | 52 -- boot/docker-2ndboot.sh | 8 - boot/docker-unsudo.sh | 7 - boot/etcd-init-data.sh | 11 - boot/etcd.sh | 22 - boot/flanneld.sh | 26 - boot/kube-apiserver.sh | 24 - boot/kube-controller-manager.sh | 13 - boot/kube-proxy.sh | 23 - boot/kube-scheduler.sh | 7 - boot/kubelet-containerd.sh | 5 - boot/kubelet-crio.sh | 5 - boot/kubelet.sh | 40 -- boot/nsenter.sh | 10 - boot/rootlesskit.sh | 105 ---- common/cfssl.sh | 218 -------- common/common.inc.sh | 127 ----- config/cfssl/README.md | 3 - config/cfssl/admin-csr.json | 16 - config/cfssl/ca-config.json | 13 - config/cfssl/ca-csr.json | 16 - config/cfssl/kube-controller-manager-csr.json | 16 - config/cfssl/kube-proxy-csr.json | 16 - config/cfssl/kube-scheduler-csr.json | 16 - config/cfssl/kubernetes-csr.json | 16 - config/cfssl/service-account-csr.json | 16 - config/cni_net.d/50-bridge.conf | 15 - config/cni_net.d/99-loopback.conf | 4 - config/flannel/cni_net.d/10-flannel.conflist | 19 - config/flannel/etcd/coreos.com_network_config | 1 - config/modules-load.d/usernetes.conf | 22 - docker-compose.yml | 117 +---- docs/binary-release-license/LICENSE-cfssl | 24 - docs/binary-release-license/LICENSE-crun | 339 ------------- .../LICENSE-fuse-overlayfs | 339 ------------- .../LICENSE-slirp4netns | 280 ----------- hack/create-hosts-lxc.sh | 55 ++ ...stemd_system_user@.service.d_delegate.conf | 2 - hack/init-host.root.sh | 23 + hack/init-host.rootless.sh | 10 + hack/show-latest-commits.sh | 18 - hack/smoketest-binaries.sh | 41 -- hack/smoketest-docker-compose.sh | 82 --- hack/smoketest-docker.sh | 47 -- hack/smoketest-manifests/test-limits.yaml | 13 - ...{smoketest-common.inc.sh => test-smoke.sh} | 45 +- hack/translate-dockerfile-runopt-directive.sh | 29 -- install.sh | 470 ------------------ kubeadm-config.yaml | 24 + manifests/coredns.yaml | 182 ------- rootlessctl.sh | 3 - show-cleanup-command.sh | 23 - show-status.sh | 5 - uninstall.sh | 23 - 66 files changed, 302 insertions(+), 3785 deletions(-) delete mode 100644 .cirrus.yml mode change 120000 => 100644 .dockerignore delete mode 100644 .github/workflows/ghcr.yaml delete mode 100644 .github/workflows/release.yaml delete mode 100644 Vagrantfile delete mode 100755 boot/containerd-fuse-overlayfs-grpc.sh delete mode 100755 boot/containerd.sh delete mode 100755 boot/crio.sh delete mode 100755 boot/docker-2ndboot.sh delete mode 100755 boot/docker-unsudo.sh delete mode 100755 boot/etcd-init-data.sh delete mode 100755 boot/etcd.sh delete mode 100755 boot/flanneld.sh delete mode 100755 boot/kube-apiserver.sh delete mode 100755 boot/kube-controller-manager.sh delete mode 100755 boot/kube-proxy.sh delete mode 100755 boot/kube-scheduler.sh delete mode 100755 boot/kubelet-containerd.sh delete mode 100755 boot/kubelet-crio.sh delete mode 100755 boot/kubelet.sh delete mode 100755 boot/nsenter.sh delete mode 100755 boot/rootlesskit.sh delete mode 100755 common/cfssl.sh delete mode 100644 common/common.inc.sh delete mode 100644 config/cfssl/README.md delete mode 100644 config/cfssl/admin-csr.json delete mode 100644 config/cfssl/ca-config.json delete mode 100644 config/cfssl/ca-csr.json delete mode 100644 config/cfssl/kube-controller-manager-csr.json delete mode 100644 config/cfssl/kube-proxy-csr.json delete mode 100644 config/cfssl/kube-scheduler-csr.json delete mode 100644 config/cfssl/kubernetes-csr.json delete mode 100644 config/cfssl/service-account-csr.json delete mode 100644 config/cni_net.d/50-bridge.conf delete mode 100644 config/cni_net.d/99-loopback.conf delete mode 100644 config/flannel/cni_net.d/10-flannel.conflist delete mode 100644 config/flannel/etcd/coreos.com_network_config delete mode 100644 config/modules-load.d/usernetes.conf delete mode 100644 docs/binary-release-license/LICENSE-cfssl delete mode 100644 docs/binary-release-license/LICENSE-crun delete mode 100644 docs/binary-release-license/LICENSE-fuse-overlayfs delete mode 100644 docs/binary-release-license/LICENSE-slirp4netns create mode 100755 hack/create-hosts-lxc.sh delete mode 100644 hack/etc_systemd_system_user@.service.d_delegate.conf create mode 100755 hack/init-host.root.sh create mode 100755 hack/init-host.rootless.sh delete mode 100755 hack/show-latest-commits.sh delete mode 100755 hack/smoketest-binaries.sh delete mode 100755 hack/smoketest-docker-compose.sh delete mode 100755 hack/smoketest-docker.sh delete mode 100644 hack/smoketest-manifests/test-limits.yaml rename hack/{smoketest-common.inc.sh => test-smoke.sh} (50%) mode change 100644 => 100755 delete mode 100755 hack/translate-dockerfile-runopt-directive.sh delete mode 100755 install.sh create mode 100644 kubeadm-config.yaml delete mode 100644 manifests/coredns.yaml delete mode 100755 rootlessctl.sh delete mode 100755 show-cleanup-command.sh delete mode 100755 show-status.sh delete mode 100755 uninstall.sh diff --git a/.cirrus.yml b/.cirrus.yml deleted file mode 100644 index 79e9eeb..0000000 --- a/.cirrus.yml +++ /dev/null @@ -1,46 +0,0 @@ -compute_engine_instance: - image_project: cirrus-images - image: family/docker-kvm - platform: linux - nested_virtualization: true - # CPU limit: `16 / NTASK`: see https://cirrus-ci.org/faq/#are-there-any-limits - cpu: 4 - # Memory limit: `4GB * NCPU` - memory: 16G - -vagrant_task: - name: "Vagrant" - timeout_in: 30m - env: - DEBIAN_FRONTEND: noninteractive - HOME: /root - DOCKER_BUILDKIT: 1 - info_script: - - uname -a - - cat /proc/cpuinfo - - docker info - build_script: - - make - install_libvirt_vagrant_script: - - apt-get update - - apt-get install -y libvirt-daemon libvirt-daemon-system vagrant vagrant-libvirt - - systemctl enable --now libvirtd - vagrant_cache: - fingerprint_script: uname -s ; cat Vagrantfile - folder: /root/.vagrant.d - vagrant_up_script: - - vagrant up - # - # Enabling cgroup delegation seems to need rebooting since Fedora 34: https://github.com/rootless-containers/rootlesscontaine.rs/issues/32 - # We shouldn't need this reboot. - vagrant_reboot_script: - - vagrant halt - - vagrant up - # - vagrant_ssh_config_script: - - mkdir -p -m 0700 /root/.ssh - - vagrant ssh-config >> /root/.ssh/config - containerd_test_script: - - ssh default /vagrant/hack/smoketest-binaries.sh --cri=containerd - crio_test_script: - - ssh default /vagrant/hack/smoketest-binaries.sh --cri=crio diff --git a/.dockerignore b/.dockerignore deleted file mode 120000 index 3e4e48b..0000000 --- a/.dockerignore +++ /dev/null @@ -1 +0,0 @@ -.gitignore \ No newline at end of file diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..ae5e959 --- /dev/null +++ b/.dockerignore @@ -0,0 +1 @@ +/kubeconfig diff --git a/.github/workflows/ghcr.yaml b/.github/workflows/ghcr.yaml deleted file mode 100644 index ea5e663..0000000 --- a/.github/workflows/ghcr.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# Adopted from https://github.com/docker/metadata-action/tree/v3.3.0#basic -# (Apache License 2.0) -name: GHCR - -on: - push: - branches: - - 'master' - tags: - - 'v*' - pull_request: - branches: - - 'master' - -jobs: - ghcr: - runs-on: ubuntu-20.04 - steps: - - name: Checkout - uses: actions/checkout@v2 - - name: Docker meta - id: meta - uses: docker/metadata-action@v3 - with: - images: ghcr.io/${{ github.repository }} - - name: Login to GHCR - if: github.event_name != 'pull_request' - uses: docker/login-action@v1 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Build and push - uses: docker/build-push-action@v2 - with: - context: . - push: ${{ github.event_name != 'pull_request' }} - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index accbe28..9f34fd1 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -1,25 +1,59 @@ +--- name: Main on: [push, pull_request] env: DOCKER_BUILDKIT: 1 + KUBECONFIG: ./kubeconfig jobs: - docker: - name: "Docker" + single-node: + name: "Single node" runs-on: ubuntu-22.04 timeout-minutes: 40 steps: - - name: "System info" - run: sh -xec "uname -a; docker info; cat /proc/cpuinfo; df -h" - uses: actions/checkout@v3 - - name: "Make" - run: make image - - name: "Clean up (To avoid `node.kubernetes.io/disk-pressure` taint)" + - name: Set up cgroup v2 delegation run: | - make clean - docker builder prune -a -f - - name: "Smoke test (containerd)" - run: ./hack/smoketest-docker.sh u7s-test-containerd ghcr.io/rootless-containers/usernetes --cri=containerd - - name: "Smoke test (CRI-O)" - run: ./hack/smoketest-docker.sh u7s-test-crio ghcr.io/rootless-containers/usernetes --cri=crio - - name: "Smoke test (multi-node cluster with Flannel)" - run: ./hack/smoketest-docker-compose.sh + sudo mkdir -p /etc/systemd/system/user@.service.d + cat < $(HOME)/.config/usernetes/docker-compose.kubeconfig - echo "To use kubectl: export KUBECONFIG=$(HOME)/.config/usernetes/docker-compose.kubeconfig" +.PHONY: down-v +down-v: + $(COMPOSE) down -v -down: - docker-compose --project-name=usernetes down -v -t 0 - rm -f $(HOME)/.config/usernetes/docker-compose.kubeconfig +.PHONY: shell +shell: + $(NODE_SHELL) bash -artifact: binaries _artifact +.PHONY: logs +logs: + $(NODE_SHELL) journalctl --follow --since="1 day ago" -_artifact: - rm -rf _artifact _SHA256SUMS - mkdir _artifact - ( cd .. && tar --exclude=usernetes/.git --exclude=usernetes/_artifact -cjvf ./usernetes/_artifact/usernetes-x86_64.tbz usernetes ) - (cd _artifact ; sha256sum * > ../_SHA256SUMS; mv ../_SHA256SUMS ./SHA256SUMS) - cat _artifact/SHA256SUMS +.PHONY: kubeconfig +kubeconfig: + $(COMPOSE) cp $(NODE_SERVICE_NAME):/etc/kubernetes/admin.conf ./kubeconfig + @echo "# Run the following command by yourself:" + @echo "export KUBECONFIG=$(shell pwd)/kubeconfig" -clean: - rm -rf _artifact bin +.PHONY: kubeadm-init +kubeadm-init: + $(NODE_SHELL) sh -euc "envsubst /tmp/kubeadm-config.yaml" + $(NODE_SHELL) kubeadm init --config /tmp/kubeadm-config.yaml -.PHONY: binaries _binaries image test _test up _up down artifact _artifact clean +.PHONY: install-flannel +install-flannel: + $(NODE_SHELL) kubectl apply -f https://github.com/flannel-io/flannel/releases/download/v0.22.2/kube-flannel.yml diff --git a/README.md b/README.md index 7f3c932..b939a51 100644 --- a/README.md +++ b/README.md @@ -1,391 +1,61 @@ -# Usernetes: Kubernetes without the root privileges +# Usernetes: Kubernetes without the root privileges (Generation 2) -Usernetes aims to provide a reference distribution of Kubernetes that can be installed under a user's `$HOME` and does not require the root privileges. - - - - - -- [Included components](#included-components) -- [Adoption](#adoption) -- [How it works](#how-it-works) -- [Restrictions](#restrictions) -- [Requirements](#requirements) - - [cgroup v2](#cgroup-v2) - - [Enable cpu controller](#enable-cpu-controller) -- [Quick start](#quick-start) - - [Download](#download) - - [Install](#install) - - [Use `kubectl`](#use-kubectl) - - [Uninstall](#uninstall) -- [Run Usernetes in Docker](#run-usernetes-in-docker) - - [Single node](#single-node) - - [Multi node (Docker Compose)](#multi-node-docker-compose) -- [Advanced guide](#advanced-guide) - - [Expose netns ports to the host](#expose-netns-ports-to-the-host) - - [Routing ping packets](#routing-ping-packets) - - [IP addresses](#ip-addresses) - - [Install Usernetes from source](#install-usernetes-from-source) -- [License](#license) - - - -## Included components - -* Installer scripts -* Rootless Containers infrastructure ([RootlessKit](https://github.com/rootless-containers/rootlesskit), [slirp4netns](https://github.com/rootless-containers/slirp4netns), and [fuse-overlayfs](https://github.com/containers/fuse-overlayfs)) -* Master components (`etcd`, `kube-apiserver`, ...) -* Node components (`kubelet` and `kube-proxy`) -* CRI runtimes - * containerd (default) - * CRI-O -* OCI runtime - * crun -* Multi-node CNI - * Flannel (VXLAN) -* CoreDNS - -Installer scripts are in POC status. - -See [Adoption](#adoption) for Usernetes-based Kubernetes distributions. +Usernetes (Gen2) deploys a Kubernetes cluster on [Rootless Docker hosts](https://rootlesscontaine.rs/getting-started/docker/). > **Note** > -> [Usernetes no longer includes Docker (Moby) binaries since February 2020.](https://github.com/rootless-containers/usernetes/pull/126) -> -> To install Rootless Docker, see https://get.docker.com/rootless . +> Usernetes (Gen2) has *significantly* diverged from the original Usernetes (Gen1), +> which did not rely on Rootless Docker hosts. > -> See also https://docs.docker.com/engine/security/rootless/ for the further information. - -## Adoption - -We encourage other Kubernetes distributions to adopt Usernetes. - -Currently, the following distributions adopt Usernetes: -* [k3s](https://github.com/k3s-io/k3s/blob/master/k3s-rootless.service) -* [Silverkube](https://github.com/podenv/silverkube) - -## How it works +> See the [`gen1`](https://github.com/rootless-containers/usernetes/tree/gen1) branch for +> the original Usernetes (Gen1). -Usernetes executes Kubernetes and CRI runtimes without the root privileges by using unprivileged [`user_namespaces(7)`](http://man7.org/linux/man-pages/man7/user_namespaces.7.html), [`mount_namespaces(7)`](http://man7.org/linux/man-pages/man7/mount_namespaces.7.html), and [`network_namespaces(7)`](http://man7.org/linux/man-pages/man7/network_namespaces.7.html). +Usernetes (Gen2) is similar to [Rootless `kind`](https://kind.sigs.k8s.io/docs/user/rootless/) and [Rootless minikube](https://minikube.sigs.k8s.io/docs/drivers/docker/), +but Usernetes (Gen 2) supports creating a cluster with multiple hosts. -To set up NAT across the host and the network namespace without the root privilege, Usernetes uses a usermode network stack ([slirp4netns](https://github.com/rootless-containers/slirp4netns)). - -No SETUID/SETCAP binary is needed, except [`newuidmap(1)`](http://man7.org/linux/man-pages/man1/newuidmap.1.html) and [`newgidmap(1)`](http://man7.org/linux/man-pages/man1/newgidmap.1.html), which are used for setting up [`user_namespaces(7)`](http://man7.org/linux/man-pages/man7/user_namespaces.7.html) with multiple sub-UIDs and sub-GIDs. - -## Restrictions - -* Usermode networking called [slirp4netns](https://github.com/rootless-containers/slirp4netns) is used instead of kernel-mode [vEth](http://man7.org/linux/man-pages/man4/veth.4.html) pairs. -* [fuse-overlayfs](https://github.com/containers/fuse-overlayfs) is used instead of kernel-mode overlayfs. -* Node ports are network-namespaced -* Apparmor is unsupported +## Components +- Cluster configuration: kubeadm +- CRI: containerd +- OCI: runc +- CNI: Flannel ## Requirements -Recommended host distributions are Ubuntu 22.04 and Fedora 38. - -The following requirements have to be satisfied: - -* Kernel >= 4.18. - -* cgroup v2. - -* Recent version of systemd. Known to work with systemd >= 242. - -* `mount.fuse3` binary. Provided by `fuse3` package on most distros. - -* `iptables` binary. Provided by `iptables` package on most distros. - -* `conntrack` binary. Provided by `conntrack` package on most distros. - -* `newuidmap` and `newgidmap` binaries. Provided by `uidmap` package on most distros. - -* `/etc/subuid` and `/etc/subgid` should contain more than 65536 sub-IDs. e.g. `exampleuser:231072:65536`. These files are automatically configured on most distros. - -```console -$ id -u -1001 -$ whoami -exampleuser -$ grep "^$(whoami):" /etc/subuid -exampleuser:231072:65536 -$ grep "^$(whoami):" /etc/subgid -exampleuser:231072:65536 -``` - -* The following kernel modules to be loaded: -``` -fuse -tun -tap -bridge -br_netfilter -veth -ip_tables -ip6_tables -iptable_nat -ip6table_nat -iptable_filter -ip6table_filter -nf_tables -x_tables -xt_MASQUERADE -xt_addrtype -xt_comment -xt_conntrack -xt_mark -xt_multiport -xt_nat -xt_tcpudp -``` - -### cgroup v2 - -The host needs to be running with cgroup v2. - -If `/sys/fs/cgroup/cgroup.controllers` is present on your system, you are using v2, otherwise you are using v1. - -To enable cgroup v2, add `systemd.unified_cgroup_hierarchy=1` to the `GRUB_CMDLINE_LINUX` line in `/etc/default/grub` and run `sudo update-grub`. - -If `grubby` command is available on your system, this step can be also accomplished with `sudo grubby --update-kernel=ALL --args="systemd.unified_cgroup_hierarchy=1"`. - - -#### Enable cpu controller -Typically, only `memory` and `pids` controllers are delegated to non-root users by default. -```console -$ cat /sys/fs/cgroup/user.slice/user-$(id -u).slice/user@$(id -u).service/cgroup.subtree_control -memory pids -``` +- [Rootless Docker](https://rootlesscontaine.rs/getting-started/docker/) +- cgroup v2 delegation: +```bash +sudo mkdir -p /etc/systemd/system/user@.service.d -To allow delegation of all controllers, you need to change the systemd configuration as follows: - -```console -# mkdir -p /etc/systemd/system/user@.service.d -# cat > /etc/systemd/system/user@.service.d/delegate.conf << EOF +cat < 3m42s v1.14-usernetes 10.0.101.100 Ubuntu 18.04.1 LTS 4.15.0-43-generic docker://Unknown -b2204f192e5c Ready 3m42s v1.14-usernetes 10.0.102.100 Ubuntu 18.04.1 LTS 4.15.0-43-generic cri-o://1.14.0-dev -ba0133c68378 Ready 3m42s v1.14-usernetes 10.0.103.100 Ubuntu 18.04.1 LTS 4.15.0-43-generic containerd://1.2.0-168-gb3807c5d -$ kubectl run --replicas=3 --image=nginx:alpine nginx -$ kubectl get pods -o wide -NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES -nginx-6b4b85b77b-7hqrk 1/1 Running 0 3s 10.5.13.3 b2204f192e5c -nginx-6b4b85b77b-8rknj 1/1 Running 0 3s 10.5.79.3 967e81e90e1f -nginx-6b4b85b77b-r466s 1/1 Running 0 3s 10.5.7.3 ba0133c68378 -$ kubectl exec -it nginx-6b4b85b77b-7hqrk -- wget -O - http://10.5.79.3 -Connecting to 10.5.79.3 (10.5.79.3:80) - - - -Welcome to nginx! -... -$ kubectl exec -it nginx-6b4b85b77b-7hqrk -- wget -O - http://10.5.7.3 -Connecting to 10.5.7.3 (10.5.7.3:80) - - - -Welcome to nginx! -... -``` - -## Advanced guide - -### Expose netns ports to the host - -As Usernetes runs in a network namespace (with [slirp4netns](https://github.com/rootless-containers/slirp4netns)), -you can't expose container ports to the host by just running `kubectl expose --type=NodePort`. - -In addition, you need to expose Usernetes netns ports to the host: - -```console -$ ./rootlessctl.sh add-ports 0.0.0.0:30080:30080/tcp -``` - -You can also manually expose Usernetes netns ports manually with `socat`: - -```console -$ pid=$(cat $XDG_RUNTIME_DIR/usernetes/rootlesskit/child_pid) -$ socat -t -- TCP-LISTEN:30080,reuseaddr,fork EXEC:"nsenter -U -n -t $pid socat -t -- STDIN TCP4\:127.0.0.1\:30080" -``` - -### Routing ping packets - -To route ping packets, you may need to set up `net.ipv4.ping_group_range` properly as the root. - -```console -$ sudo sh -c "echo 0 2147483647 > /proc/sys/net/ipv4/ping_group_range" -``` - -### IP addresses - -* 10.0.0.0/24: The CIDR for the Kubernetes ClusterIP services - * 10.0.0.1: The kube-apiserver ClusterIP - * 10.0.0.53: The CoreDNS ClusterIP - -* 10.0.42.0/24: The default CIDR for the RootlessKit network namespace. Can be overridden with `install.sh --cidr=`. - * 10.0.42.2: The slirp4netns gateway - * 10.0.42.3: The slirp4netns DNS - * 10.0.42.100: The slirp4netns TAP device - -* 10.0.100.0/24: The CIDR used instead of 10.0.42.0/24 in Docker Compose master -* 10.0.101.0/24: The CIDR used instead of 10.0.42.0/24 in Docker Compose containerd node -* 10.0.102.0/24: The CIDR used instead of 10.0.42.0/24 in Docker Compose CRI-O node - -* 10.5.0.0/16: The CIDR for Flannel - -* 10.88.0.0/16: The CIDR for single-node CNI - -### Install Usernetes from source - -Docker 17.05+ is required for building Usernetes from the source. -Docker 18.09+ with `DOCKER_BUILDKIT=1` is recommended. - -```console -$ make -``` - -Binaries are generated under `./bin` directory. - -## License - -Usernetes is licensed under the terms of [Apache License Version 2.0](LICENSE). - -The binary releases of Usernetes contain files that are licensed under the terms of different licenses: - -* `bin/crun`: [GNU GENERAL PUBLIC LICENSE Version 2](docs/binary-release-license/LICENSE-crun), see https://github.com/containers/crun -* `bin/fuse-overlayfs`: [GNU GENERAL PUBLIC LICENSE Version 2](docs/binary-release-license/LICENSE-fuse-overlayfs), see https://github.com/containers/fuse-overlayfs -* `bin/slirp4netns`: [GNU GENERAL PUBLIC LICENSE Version 2](docs/binary-release-license/LICENSE-slirp4netns), see https://github.com/rootless-containers/slirp4netns -* `bin/{cfssl,cfssljson}`: [2-Clause BSD License](docs/binary-release-license/LICENSE-cfssl), see https://github.com/cloudflare/cfssl +TODO: multi-node diff --git a/Vagrantfile b/Vagrantfile deleted file mode 100644 index fb3ca4b..0000000 --- a/Vagrantfile +++ /dev/null @@ -1,34 +0,0 @@ -# -*- mode: ruby -*- -# vi: set ft=ruby : - -Vagrant.configure("2") do |config| - config.vm.box = "fedora/37-cloud-base" - memory = 4096 - cpus = 2 - config.vm.provider :virtualbox do |v| - v.memory = memory - v.cpus = cpus - end - config.vm.provider :libvirt do |v| - v.memory = memory - v.cpus = cpus - end - config.vm.provision "shell", inline: <<-SHELL - set -eux -o pipefail - dnf install -q -y conntrack findutils fuse3 git iproute iptables hostname procps-ng time which jq - - # Delegate cgroup v2 controllers - mkdir -p /etc/systemd/system/user@.service.d - cp -f /vagrant/hack/etc_systemd_system_user@.service.d_delegate.conf /etc/systemd/system/user@.service.d/delegate.conf - systemctl daemon-reload - - # Load kernel modules - cp -f /vagrant/config/modules-load.d/usernetes.conf /etc/modules-load.d/usernetes.conf - systemctl restart systemd-modules-load.service - - # dmesg_restrict=1 is set for testing issue 204. - # This sysctl is NOT a requirement ro run Usernetes. - echo "kernel.dmesg_restrict=1" > /etc/sysctl.d/99-usernetes.conf - sysctl --system - SHELL -end diff --git a/boot/containerd-fuse-overlayfs-grpc.sh b/boot/containerd-fuse-overlayfs-grpc.sh deleted file mode 100755 index 38039c8..0000000 --- a/boot/containerd-fuse-overlayfs-grpc.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/bash -export U7S_BASE_DIR=$(realpath $(dirname $0)/..) -source $U7S_BASE_DIR/common/common.inc.sh -nsenter::main $0 $@ - -mkdir -p $XDG_RUNTIME_DIR/usernetes/containerd $XDG_DATA_HOME/usernetes/containerd - -exec containerd-fuse-overlayfs-grpc \ - $@ \ - $XDG_RUNTIME_DIR/usernetes/containerd/fuse-overlayfs.sock \ - $XDG_DATA_HOME/usernetes/containerd/io.containerd.snapshotter.v1.fuse-overlayfs diff --git a/boot/containerd.sh b/boot/containerd.sh deleted file mode 100755 index bc06aaa..0000000 --- a/boot/containerd.sh +++ /dev/null @@ -1,35 +0,0 @@ -#!/bin/bash -# needs to be called inside the namespaces -export U7S_BASE_DIR=$(realpath $(dirname $0)/..) -source $U7S_BASE_DIR/common/common.inc.sh - -mkdir -p $XDG_RUNTIME_DIR/usernetes -cat >$XDG_RUNTIME_DIR/usernetes/containerd.toml <$XDG_CONFIG_HOME/usernetes/containers/policy.json <$XDG_CONFIG_HOME/usernetes/containers/registries.conf <$XDG_CONFIG_HOME/usernetes/crio/crio.conf <$XDG_RUNTIME_DIR/usernetes/kube-proxy-config.yaml <$XDG_RUNTIME_DIR/usernetes/kubelet-config.yaml </dev/null ; then - : ${U7S_PARENT_IP=$(hostname -I | sed -e 's/ .*//g')} - else - : ${U7S_PARENT_IP=$(hostname -i | sed -e 's/ .*//g')} - fi - export _U7S_CHILD U7S_PARENT_IP - - # Re-exec the script via RootlessKit, so as to create unprivileged {user,mount,network} namespaces. - # - # --net specifies the network stack. slirp4netns and VPNKit are supported. - # Currently, slirp4netns is the fastest. - # See https://github.com/rootless-containers/rootlesskit for the benchmark result. - # - # --copy-up allows removing/creating files in the directories by creating tmpfs and symlinks - # * /etc: copy-up is required so as to prevent `/etc/resolv.conf` in the - # namespace from being unexpectedly unmounted when `/etc/resolv.conf` is recreated on the host - # (by either systemd-networkd or NetworkManager) - # * /run: copy-up is required so that we can create /run/* in our namespace - # * /var/lib: copy-up is required for several Kube stuff - # * /opt: copy-up is required for mounting /opt/cni/bin - rootlesskit \ - --state-dir $rk_state_dir \ - --net=slirp4netns --mtu=65520 --disable-host-loopback --slirp4netns-sandbox=true --slirp4netns-seccomp=true \ - --port-driver=builtin \ - --copy-up=/etc --copy-up=/run --copy-up=/var/lib --copy-up=/opt \ - --cgroupns \ - --pidns \ - --ipcns \ - --utsns \ - --propagation=rslave \ - --evacuate-cgroup2="rootlesskit_evac" \ - $U7S_ROOTLESSKIT_FLAGS \ - $0 $@ -else - # save IP address - echo $U7S_PARENT_IP >$XDG_RUNTIME_DIR/usernetes/parent_ip - - # Remove symlinks so that the child won't be confused by the parent configuration - rm -f \ - /run/xtables.lock /run/flannel /run/netns \ - /run/runc /run/crun \ - /run/containerd /run/containers /run/crio \ - /etc/cni \ - /etc/containerd /etc/containers /etc/crio \ - /etc/kubernetes - - # Copy CNI config to /etc/cni/net.d (Likely to be hardcoded in CNI installers) - mkdir -p /etc/cni/net.d - cp -f $U7S_BASE_DIR/config/cni_net.d/* /etc/cni/net.d - if [[ $U7S_FLANNEL == 1 ]]; then - cp -f $U7S_BASE_DIR/config/flannel/cni_net.d/* /etc/cni/net.d - mkdir -p /run/flannel - fi - # Bind-mount /opt/cni/net.d (Likely to be hardcoded in CNI installers) - mkdir -p /opt/cni/bin - mount --bind $U7S_BASE_DIR/bin/cni /opt/cni/bin - - # These bind-mounts are needed at the moment because the paths are hard-coded in Kube and CRI-O. - binds=(/var/lib/kubelet /var/lib/cni /var/log /var/lib/containers /var/cache) - for f in ${binds[@]}; do - src=$XDG_DATA_HOME/usernetes/$(echo $f | sed -e s@/@_@g) - if [[ -L $f ]]; then - # Remove link created by `rootlesskit --copy-up` if any - rm -rf $f - fi - mkdir -p $src $f - mount --bind $src $f - done - - rk_pid=$(cat $rk_state_dir/child_pid) - # workaround for https://github.com/rootless-containers/rootlesskit/issues/37 - # child_pid might be created before the child is ready - echo $rk_pid >$rk_state_dir/_child_pid.u7s-ready - log::info "RootlessKit ready, PID=${rk_pid}, state directory=$rk_state_dir ." - log::info "Hint: You can enter RootlessKit namespaces by running \`nsenter -U --preserve-credential -n -m -t ${rk_pid}\`." - if [[ -n $U7S_ROOTLESSKIT_PORTS ]]; then - rootlessctl --socket $rk_state_dir/api.sock add-ports $U7S_ROOTLESSKIT_PORTS - fi - rc=0 - if [[ $# -eq 0 ]]; then - sleep infinity || rc=$? - else - $@ || rc=$? - fi - log::info "RootlessKit exiting (status=$rc)" - exit $rc -fi diff --git a/common/cfssl.sh b/common/cfssl.sh deleted file mode 100755 index 3e5328d..0000000 --- a/common/cfssl.sh +++ /dev/null @@ -1,218 +0,0 @@ -#!/bin/bash -# CFSSL tool (called only via install.sh) -# -# ref: https://github.com/kelseyhightower/kubernetes-the-hard-way/blob/1.15.3/docs/04-certificate-authority.md -export U7S_BASE_DIR=$(realpath $(dirname $0)/..) -source $U7S_BASE_DIR/common/common.inc.sh - -# global vars -arg0="$0" -loglevel="2" -cc="$U7S_BASE_DIR/config/cfssl" - -# opts -dir="" -master="" -nodes=() - -# text for --help -usage() { - echo "Usage: ${arg0} --dir=DIR --master MASTER --node NODE0HOSTNAME,NODE0IP --node NODE1HOSTNAME,NODE1IP" - echo "DO NOT EXECUTE THIS TOOL MANUALLY" -} - -# parse CLI args -if ! args="$(getopt -o h --long help,dir:,master:,node: -n "$arg0" -- "$@")"; then - usage - exit 1 -fi -eval set -- "$args" -while true; do - case "$1" in - -h | --help) - usage - exit 0 - ;; - --dir) - dir="$2" - shift 2 - ;; - --master) - master="$2" - shift 2 - ;; - --node) - nodes=(${nodes[@]} "$2") - shift 2 - ;; - --) - shift - break - ;; - *) - break - ;; - esac -done - -if [ -z "$dir" ]; then - log::error "No dir was specified" - exit 1 -fi -mkdir -p $dir -master_d="${dir}/master" -mkdir -p ${master_d} - -if [ -z "$master" ]; then - log::error "No masterwas specified" - exit 1 -fi - -# Certificate Authority -if [[ -f "${master_d}/ca.pem" ]]; then - log::info "Already exists: ${master_d}/ca.pem" -else - log::info "Creating ${master_d}/{ca.pem,ca-key.pem}" - cfssl gencert -loglevel="$loglevel" -initca "$cc/ca-csr.json" | cfssljson -bare "${master_d}/ca" -fi - -cfssl_gencert_master() { - name="$1" - if [[ -f "${master_d}/${name}.pem" ]]; then - log::info "Already exists: ${master_d}/${name}.pem" - else - log::info "Creating ${master_d}/{${name}.pem,${name}-key.pem}" - cfssl gencert -loglevel="$loglevel" \ - -ca="${master_d}/ca.pem" \ - -ca-key="${master_d}/ca-key.pem" \ - -config="$cc/ca-config.json" \ - -profile=kubernetes \ - "$cc/${name}-csr.json" | cfssljson -bare "${master_d}/${name}" - fi -} - -create_kubeconfig() { - kubeconfig="$1" - user="$2" - server="$3" - ca="$4" - clientcert="$5" - clientkey="$6" - log::info "Creating $kubeconfig" - echo >$kubeconfig - kubectl config set-cluster kubernetes-the-hard-way \ - --certificate-authority=$ca \ - --embed-certs=true \ - --server=$server \ - --kubeconfig=$kubeconfig - kubectl config set-credentials $user \ - --client-certificate=$clientcert \ - --client-key=$clientkey \ - --embed-certs=true \ - --kubeconfig=$kubeconfig - kubectl config set-context default \ - --cluster=kubernetes-the-hard-way \ - --user=$user \ - --kubeconfig=$kubeconfig - kubectl config use-context default --kubeconfig=$kubeconfig -} - -# The Admin Client Certificate -cfssl_gencert_master "admin" -create_kubeconfig ${master_d}/admin-localhost.kubeconfig admin https://127.0.0.1:6443 ${master_d}/ca.pem ${master_d}/admin.pem ${master_d}/admin-key.pem -create_kubeconfig ${master_d}/admin-${master}.kubeconfig admin https://${master}:6443 ${master_d}/ca.pem ${master_d}/admin.pem ${master_d}/admin-key.pem - -# The Controller Manager Client Certificate -cfssl_gencert_master "kube-controller-manager" -create_kubeconfig ${master_d}/kube-controller-manager.kubeconfig system:kube-controller-manager https://127.0.0.1:6443 ${master_d}/ca.pem ${master_d}/kube-controller-manager.pem ${master_d}/kube-controller-manager-key.pem - -# The Kube Proxy Client Certificate -cfssl_gencert_master "kube-proxy" -create_kubeconfig ${master_d}/kube-proxy.kubeconfig system:kube-proxy https://${master}:6443 ${master_d}/ca.pem ${master_d}/kube-proxy.pem ${master_d}/kube-proxy-key.pem - -# The Scheduler Client Certificate -cfssl_gencert_master "kube-scheduler" -create_kubeconfig ${master_d}/kube-scheduler.kubeconfig system:kube-scheduler https://127.0.0.1:6443 ${master_d}/ca.pem ${master_d}/kube-scheduler.pem ${master_d}/kube-scheduler-key.pem - -# The Kubernetes API Server Certificate -if [[ -f "${master_d}/kubernetes.pem" ]]; then - log::info "Already exists: ${master_d}/kubernetes.pem" -else - log::info "Creating ${master_d}/{kubernetes.pem,kubernetes-key.pem}" - k_hostnames="kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster,kubernetes.svc.cluster.local" - if hostname -I &>/dev/null ; then - ip_addrs=$(hostname -I | sed -e 's/ /,/g' -e 's/,$//g') - else - ip_addrs=$(hostname -i | sed -e 's/ /,/g' -e 's/,$//g') - fi - k_cluster_ip="10.0.0.1" - cfssl gencert -loglevel="$loglevel" \ - -ca="${master_d}/ca.pem" \ - -ca-key="${master_d}/ca-key.pem" \ - -config="$cc/ca-config.json" \ - -hostname=${master},$(hostname),${ip_addrs},localhost,127.0.0.1,${k_hostnames},${k_cluster_ip} \ - -profile=kubernetes \ - "$cc/kubernetes-csr.json" | cfssljson -bare "${master_d}/kubernetes" -fi - -# The Service Account Key Pair -cfssl_gencert_master "service-account" - -# Nodes -for n in "${nodes[@]}"; do - nodename=$(echo $n | sed -e 's/,.*//g') - node_d="${dir}/nodes.${nodename}" - mkdir -p "${node_d}" - if [[ -f "${node_d}/master" ]]; then - log::info "Already exists: ${node_d}/master" - else - log::info "Writing $master to ${node_d}/master" - echo $master >${node_d}/master - fi - # The Kubelet Client Certificates - if [[ -f "${node_d}/ca.pem" ]]; then - log::info "Already exists: ${node_d}/ca.pem" - else - log::info "Copying ${master_d}/ca.pem to ${node_d}/ca.pem" - cp -f ${master_d}/ca.pem ${node_d}/ca.pem - fi - if [[ -f "${node_d}/node.pem" ]]; then - log::info "Already exists: ${node_d}/node.pem" - else - log::info "Creating ${node_d}/{node.pem,node-key.pem}" - cat >${node_d}/node-csr.json </dev/null || rc=$? - if [[ rc -eq 0 ]]; then - return 0 - fi - echo -n . - sleep 1 - done - log::error "nsenter failed after ${max_trial} attempts, RootlessKit not running?" - return 1 -} - -function nsenter::_nsenter() { - local pidfile=$XDG_RUNTIME_DIR/usernetes/rootlesskit/child_pid - if ! [[ -f $pidfile ]]; then - return 1 - fi - # workaround for https://github.com/rootless-containers/rootlesskit/issues/37 - # see the corresponding code in boot/rootlesskit.sh - local pidreadyfile=$XDG_RUNTIME_DIR/usernetes/rootlesskit/_child_pid.u7s-ready - if ! [[ -f $pidreadyfile ]]; then - return 1 - fi - if ! [[ $(cat $pidfile) -eq $(cat $pidreadyfile) ]]; then - return 1 - fi - export ROOTLESSKIT_STATE_DIR=$XDG_RUNTIME_DIR/usernetes/rootlesskit - # TODO(AkihiroSuda): ping to $XDG_RUNTIME_DIR/usernetes/rootlesskit/api.sock - nsenter --user --preserve-credential --mount --net --cgroup --pid --ipc --uts -t $(cat $pidfile) --wd=$PWD -- $@ -} - -# entrypoint begins -if debug::enabled; then - log::warning "Running in debug mode (\$U7S_DEBUG)" - set -x -fi - -# verify necessary environment variables -if ! [[ -w $XDG_RUNTIME_DIR ]]; then - log::error "XDG_RUNTIME_DIR needs to be set and writable" - return 1 -fi -if ! [[ -w $HOME ]]; then - log::error "HOME needs to be set and writable" - return 1 -fi - -: ${U7S_BASE_DIR=} -if [[ -z $U7S_BASE_DIR ]]; then - log::error "Usernetes base directory (\$U7S_BASE_DIR) not set" - return 1 -fi -log::debug "Usernetes base directory (\$U7S_BASE_DIR) = $U7S_BASE_DIR" -if ! [[ -d $U7S_BASE_DIR ]]; then - log::error "Usernetes base directory ($U7S_BASE_DIR) not found" - return 1 -fi - -# export PATH -PATH=$U7S_BASE_DIR/bin:/sbin:/usr/sbin:$PATH -export PATH - -# export XDG_{DATA,CONFIG,CACHE}_HOME -: ${XDG_DATA_HOME=$HOME/.local/share} -: ${XDG_CONFIG_HOME=$HOME/.config} -: ${XDG_CACHE_HOME=$HOME/.cache} -export XDG_DATA_HOME XDG_CONFIG_HOME XDG_CACHE_HOME diff --git a/config/cfssl/README.md b/config/cfssl/README.md deleted file mode 100644 index ad8ccbc..0000000 --- a/config/cfssl/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# cfssl configs - -From https://github.com/kelseyhightower/kubernetes-the-hard-way/tree/1.15.3 diff --git a/config/cfssl/admin-csr.json b/config/cfssl/admin-csr.json deleted file mode 100644 index 960ce1d..0000000 --- a/config/cfssl/admin-csr.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "CN": "admin", - "key": { - "algo": "rsa", - "size": 2048 - }, - "names": [ - { - "C": "US", - "L": "Portland", - "O": "system:masters", - "OU": "Kubernetes The Hard Way", - "ST": "Oregon" - } - ] -} diff --git a/config/cfssl/ca-config.json b/config/cfssl/ca-config.json deleted file mode 100644 index a63e0dd..0000000 --- a/config/cfssl/ca-config.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "signing": { - "default": { - "expiry": "8760h" - }, - "profiles": { - "kubernetes": { - "usages": ["signing", "key encipherment", "server auth", "client auth"], - "expiry": "8760h" - } - } - } -} diff --git a/config/cfssl/ca-csr.json b/config/cfssl/ca-csr.json deleted file mode 100644 index 8145e50..0000000 --- a/config/cfssl/ca-csr.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "CN": "Kubernetes", - "key": { - "algo": "rsa", - "size": 2048 - }, - "names": [ - { - "C": "US", - "L": "Portland", - "O": "Kubernetes", - "OU": "CA", - "ST": "Oregon" - } - ] -} diff --git a/config/cfssl/kube-controller-manager-csr.json b/config/cfssl/kube-controller-manager-csr.json deleted file mode 100644 index a7e8536..0000000 --- a/config/cfssl/kube-controller-manager-csr.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "CN": "system:kube-controller-manager", - "key": { - "algo": "rsa", - "size": 2048 - }, - "names": [ - { - "C": "US", - "L": "Portland", - "O": "system:kube-controller-manager", - "OU": "Kubernetes The Hard Way", - "ST": "Oregon" - } - ] -} diff --git a/config/cfssl/kube-proxy-csr.json b/config/cfssl/kube-proxy-csr.json deleted file mode 100644 index 5f33aee..0000000 --- a/config/cfssl/kube-proxy-csr.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "CN": "system:kube-proxy", - "key": { - "algo": "rsa", - "size": 2048 - }, - "names": [ - { - "C": "US", - "L": "Portland", - "O": "system:node-proxier", - "OU": "Kubernetes The Hard Way", - "ST": "Oregon" - } - ] -} diff --git a/config/cfssl/kube-scheduler-csr.json b/config/cfssl/kube-scheduler-csr.json deleted file mode 100644 index a3129c9..0000000 --- a/config/cfssl/kube-scheduler-csr.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "CN": "system:kube-scheduler", - "key": { - "algo": "rsa", - "size": 2048 - }, - "names": [ - { - "C": "US", - "L": "Portland", - "O": "system:kube-scheduler", - "OU": "Kubernetes The Hard Way", - "ST": "Oregon" - } - ] -} diff --git a/config/cfssl/kubernetes-csr.json b/config/cfssl/kubernetes-csr.json deleted file mode 100644 index 778db63..0000000 --- a/config/cfssl/kubernetes-csr.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "CN": "kubernetes", - "key": { - "algo": "rsa", - "size": 2048 - }, - "names": [ - { - "C": "US", - "L": "Portland", - "O": "Kubernetes", - "OU": "Kubernetes The Hard Way", - "ST": "Oregon" - } - ] -} diff --git a/config/cfssl/service-account-csr.json b/config/cfssl/service-account-csr.json deleted file mode 100644 index be3c0ca..0000000 --- a/config/cfssl/service-account-csr.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "CN": "service-accounts", - "key": { - "algo": "rsa", - "size": 2048 - }, - "names": [ - { - "C": "US", - "L": "Portland", - "O": "Kubernetes", - "OU": "Kubernetes The Hard Way", - "ST": "Oregon" - } - ] -} diff --git a/config/cni_net.d/50-bridge.conf b/config/cni_net.d/50-bridge.conf deleted file mode 100644 index 8a7edca..0000000 --- a/config/cni_net.d/50-bridge.conf +++ /dev/null @@ -1,15 +0,0 @@ -{ - "cniVersion": "0.3.0", - "name": "u7s-bridge", - "type": "bridge", - "bridge": "cni0", - "isGateway": true, - "ipMasq": true, - "ipam": { - "type": "host-local", - "subnet": "10.88.0.0/16", - "routes": [ - { "dst": "0.0.0.0/0" } - ] - } -} diff --git a/config/cni_net.d/99-loopback.conf b/config/cni_net.d/99-loopback.conf deleted file mode 100644 index c4cd168..0000000 --- a/config/cni_net.d/99-loopback.conf +++ /dev/null @@ -1,4 +0,0 @@ -{ - "cniVersion": "0.3.0", - "type": "loopback" -} diff --git a/config/flannel/cni_net.d/10-flannel.conflist b/config/flannel/cni_net.d/10-flannel.conflist deleted file mode 100644 index cc2f213..0000000 --- a/config/flannel/cni_net.d/10-flannel.conflist +++ /dev/null @@ -1,19 +0,0 @@ -{ - "cniVersion": "0.4.0", - "name": "cbr0", - "plugins": [ - { - "type": "flannel", - "delegate": { - "hairpinMode": true, - "isDefaultGateway": true - } - }, - { - "type": "portmap", - "capabilities": { - "portMappings": true - } - } - ] -} diff --git a/config/flannel/etcd/coreos.com_network_config b/config/flannel/etcd/coreos.com_network_config deleted file mode 100644 index 07c8375..0000000 --- a/config/flannel/etcd/coreos.com_network_config +++ /dev/null @@ -1 +0,0 @@ -{"Network": "10.5.0.0/16", "Backend": {"Type": "vxlan"}} diff --git a/config/modules-load.d/usernetes.conf b/config/modules-load.d/usernetes.conf deleted file mode 100644 index 4313927..0000000 --- a/config/modules-load.d/usernetes.conf +++ /dev/null @@ -1,22 +0,0 @@ -fuse -tun -tap -bridge -br_netfilter -veth -ip_tables -ip6_tables -iptable_nat -ip6table_nat -iptable_filter -ip6table_filter -nf_tables -x_tables -xt_MASQUERADE -xt_addrtype -xt_comment -xt_conntrack -xt_mark -xt_multiport -xt_nat -xt_tcpudp diff --git a/docker-compose.yml b/docker-compose.yml index 27e2f2c..02660a0 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,97 +1,32 @@ -version: "3" - +--- services: - init-certs: - image: ghcr.io/rootless-containers/usernetes - entrypoint: /docker-entrypoint.sh - command: - - unsudo - - /home/user/usernetes/common/cfssl.sh - - --dir=/home/user/.config/usernetes - - --master=master - - --node=node-crio - - --node=node-containerd - privileged: true - tty: true - hostname: master - volumes: - - tls-master:/home/user/.config/usernetes/master - - tls-node-crio:/home/user/.config/usernetes/nodes.node-crio - - tls-node-containerd:/home/user/.config/usernetes/nodes.node-containerd - master: - image: ghcr.io/rootless-containers/usernetes - command: - - --wait-init-certs - - --start=u7s-master-with-etcd.target - - --cidr=10.0.100.0/24 -# 2379/tcp: etcd, 6443/tcp: kube-apiserver - - --publish=0.0.0.0:2379:2379/tcp - - --publish=0.0.0.0:6443:6443/tcp - - --cni=flannel - - --cri= + node: + build: . + hostname: ${U7S_HOST_NAME:-u7s-node} privileged: true + restart: on-failure tty: true ports: - - 127.0.0.1:6443:6443 - hostname: master - networks: - - usernetes - volumes: - - tls-master:/home/user/.config/usernetes/master - node-crio: - image: ghcr.io/rootless-containers/usernetes - command: - - --wait-init-certs - - --start=u7s-node.target - - --cidr=10.0.101.0/24 -# 10250/tcp: kubelet, 8472/udp: flannel - - --publish=0.0.0.0:10250:10250/tcp - - --publish=0.0.0.0:8472:8472/udp - - --cni=flannel - - --cri=crio - privileged: true - tty: true - networks: - - usernetes - hostname: node-crio - volumes: - - tls-node-crio:/home/user/.config/usernetes/node -# FIXME: flanneld should not require tls-master -# (currently required because master and flanneld share the same etcd cluster) - - tls-master:/home/user/.config/usernetes/master - node-containerd: - image: ghcr.io/rootless-containers/usernetes - command: - - --wait-init-certs - - --start=u7s-node.target - - --cidr=10.0.102.0/24 - - --publish=0.0.0.0:10250:10250/tcp - - --publish=0.0.0.0:8472:8472/udp - - --cni=flannel - - --cri=containerd - privileged: true - tty: true - networks: - - usernetes - hostname: node-containerd + # etcd + - 2379:2379 + # kube-apiserver + - 6443:6443 + # kubelet + - 10250:10250 + # flannel + - 8472:8472/udp volumes: - - tls-node-containerd:/home/user/.config/usernetes/node - - tls-master:/home/user/.config/usernetes/master -networks: - usernetes: + - .:/work:ro + - /boot:/boot:ro + - /lib/modules:/lib/modules:ro + - node-var:/var + - type: tmpfs + target: /run + - type: tmpfs + target: /tmp + working_dir: /work + environment: + KUBECONFIG: /etc/kubernetes/admin.conf volumes: - tls-master: - driver_opts: - type: tmpfs - device: tmpfs - o: "uid=1000" - tls-node-crio: - driver_opts: - type: tmpfs - device: tmpfs - o: "uid=1000" - tls-node-containerd: - driver_opts: - type: tmpfs - device: tmpfs - o: "uid=1000" + node-var: {} +# TODO: persist some (not all) directories under /etc diff --git a/docs/binary-release-license/LICENSE-cfssl b/docs/binary-release-license/LICENSE-cfssl deleted file mode 100644 index bc5841f..0000000 --- a/docs/binary-release-license/LICENSE-cfssl +++ /dev/null @@ -1,24 +0,0 @@ -Copyright (c) 2014 CloudFlare Inc. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions -are met: - -Redistributions of source code must retain the above copyright notice, -this list of conditions and the following disclaimer. - -Redistributions in binary form must reproduce the above copyright notice, -this list of conditions and the following disclaimer in the documentation -and/or other materials provided with the distribution. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED -TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR -PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF -LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING -NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/docs/binary-release-license/LICENSE-crun b/docs/binary-release-license/LICENSE-crun deleted file mode 100644 index d159169..0000000 --- a/docs/binary-release-license/LICENSE-crun +++ /dev/null @@ -1,339 +0,0 @@ - GNU GENERAL PUBLIC LICENSE - Version 2, June 1991 - - Copyright (C) 1989, 1991 Free Software Foundation, Inc., - 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - - Preamble - - The licenses for most software are designed to take away your -freedom to share and change it. By contrast, the GNU General Public -License is intended to guarantee your freedom to share and change free -software--to make sure the software is free for all its users. This -General Public License applies to most of the Free Software -Foundation's software and to any other program whose authors commit to -using it. (Some other Free Software Foundation software is covered by -the GNU Lesser General Public License instead.) You can apply it to -your programs, too. - - When we speak of free software, we are referring to freedom, not -price. Our General Public Licenses are designed to make sure that you -have the freedom to distribute copies of free software (and charge for -this service if you wish), that you receive source code or can get it -if you want it, that you can change the software or use pieces of it -in new free programs; and that you know you can do these things. - - To protect your rights, we need to make restrictions that forbid -anyone to deny you these rights or to ask you to surrender the rights. -These restrictions translate to certain responsibilities for you if you -distribute copies of the software, or if you modify it. - - For example, if you distribute copies of such a program, whether -gratis or for a fee, you must give the recipients all the rights that -you have. You must make sure that they, too, receive or can get the -source code. And you must show them these terms so they know their -rights. - - We protect your rights with two steps: (1) copyright the software, and -(2) offer you this license which gives you legal permission to copy, -distribute and/or modify the software. - - Also, for each author's protection and ours, we want to make certain -that everyone understands that there is no warranty for this free -software. If the software is modified by someone else and passed on, we -want its recipients to know that what they have is not the original, so -that any problems introduced by others will not reflect on the original -authors' reputations. - - Finally, any free program is threatened constantly by software -patents. We wish to avoid the danger that redistributors of a free -program will individually obtain patent licenses, in effect making the -program proprietary. To prevent this, we have made it clear that any -patent must be licensed for everyone's free use or not licensed at all. - - The precise terms and conditions for copying, distribution and -modification follow. - - GNU GENERAL PUBLIC LICENSE - TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION - - 0. This License applies to any program or other work which contains -a notice placed by the copyright holder saying it may be distributed -under the terms of this General Public License. The "Program", below, -refers to any such program or work, and a "work based on the Program" -means either the Program or any derivative work under copyright law: -that is to say, a work containing the Program or a portion of it, -either verbatim or with modifications and/or translated into another -language. (Hereinafter, translation is included without limitation in -the term "modification".) Each licensee is addressed as "you". - -Activities other than copying, distribution and modification are not -covered by this License; they are outside its scope. The act of -running the Program is not restricted, and the output from the Program -is covered only if its contents constitute a work based on the -Program (independent of having been made by running the Program). -Whether that is true depends on what the Program does. - - 1. You may copy and distribute verbatim copies of the Program's -source code as you receive it, in any medium, provided that you -conspicuously and appropriately publish on each copy an appropriate -copyright notice and disclaimer of warranty; keep intact all the -notices that refer to this License and to the absence of any warranty; -and give any other recipients of the Program a copy of this License -along with the Program. - -You may charge a fee for the physical act of transferring a copy, and -you may at your option offer warranty protection in exchange for a fee. - - 2. You may modify your copy or copies of the Program or any portion -of it, thus forming a work based on the Program, and copy and -distribute such modifications or work under the terms of Section 1 -above, provided that you also meet all of these conditions: - - a) You must cause the modified files to carry prominent notices - stating that you changed the files and the date of any change. - - b) You must cause any work that you distribute or publish, that in - whole or in part contains or is derived from the Program or any - part thereof, to be licensed as a whole at no charge to all third - parties under the terms of this License. - - c) If the modified program normally reads commands interactively - when run, you must cause it, when started running for such - interactive use in the most ordinary way, to print or display an - announcement including an appropriate copyright notice and a - notice that there is no warranty (or else, saying that you provide - a warranty) and that users may redistribute the program under - these conditions, and telling the user how to view a copy of this - License. (Exception: if the Program itself is interactive but - does not normally print such an announcement, your work based on - the Program is not required to print an announcement.) - -These requirements apply to the modified work as a whole. If -identifiable sections of that work are not derived from the Program, -and can be reasonably considered independent and separate works in -themselves, then this License, and its terms, do not apply to those -sections when you distribute them as separate works. But when you -distribute the same sections as part of a whole which is a work based -on the Program, the distribution of the whole must be on the terms of -this License, whose permissions for other licensees extend to the -entire whole, and thus to each and every part regardless of who wrote it. - -Thus, it is not the intent of this section to claim rights or contest -your rights to work written entirely by you; rather, the intent is to -exercise the right to control the distribution of derivative or -collective works based on the Program. - -In addition, mere aggregation of another work not based on the Program -with the Program (or with a work based on the Program) on a volume of -a storage or distribution medium does not bring the other work under -the scope of this License. - - 3. You may copy and distribute the Program (or a work based on it, -under Section 2) in object code or executable form under the terms of -Sections 1 and 2 above provided that you also do one of the following: - - a) Accompany it with the complete corresponding machine-readable - source code, which must be distributed under the terms of Sections - 1 and 2 above on a medium customarily used for software interchange; or, - - b) Accompany it with a written offer, valid for at least three - years, to give any third party, for a charge no more than your - cost of physically performing source distribution, a complete - machine-readable copy of the corresponding source code, to be - distributed under the terms of Sections 1 and 2 above on a medium - customarily used for software interchange; or, - - c) Accompany it with the information you received as to the offer - to distribute corresponding source code. (This alternative is - allowed only for noncommercial distribution and only if you - received the program in object code or executable form with such - an offer, in accord with Subsection b above.) - -The source code for a work means the preferred form of the work for -making modifications to it. For an executable work, complete source -code means all the source code for all modules it contains, plus any -associated interface definition files, plus the scripts used to -control compilation and installation of the executable. However, as a -special exception, the source code distributed need not include -anything that is normally distributed (in either source or binary -form) with the major components (compiler, kernel, and so on) of the -operating system on which the executable runs, unless that component -itself accompanies the executable. - -If distribution of executable or object code is made by offering -access to copy from a designated place, then offering equivalent -access to copy the source code from the same place counts as -distribution of the source code, even though third parties are not -compelled to copy the source along with the object code. - - 4. You may not copy, modify, sublicense, or distribute the Program -except as expressly provided under this License. Any attempt -otherwise to copy, modify, sublicense or distribute the Program is -void, and will automatically terminate your rights under this License. -However, parties who have received copies, or rights, from you under -this License will not have their licenses terminated so long as such -parties remain in full compliance. - - 5. You are not required to accept this License, since you have not -signed it. However, nothing else grants you permission to modify or -distribute the Program or its derivative works. These actions are -prohibited by law if you do not accept this License. Therefore, by -modifying or distributing the Program (or any work based on the -Program), you indicate your acceptance of this License to do so, and -all its terms and conditions for copying, distributing or modifying -the Program or works based on it. - - 6. Each time you redistribute the Program (or any work based on the -Program), the recipient automatically receives a license from the -original licensor to copy, distribute or modify the Program subject to -these terms and conditions. You may not impose any further -restrictions on the recipients' exercise of the rights granted herein. -You are not responsible for enforcing compliance by third parties to -this License. - - 7. If, as a consequence of a court judgment or allegation of patent -infringement or for any other reason (not limited to patent issues), -conditions are imposed on you (whether by court order, agreement or -otherwise) that contradict the conditions of this License, they do not -excuse you from the conditions of this License. If you cannot -distribute so as to satisfy simultaneously your obligations under this -License and any other pertinent obligations, then as a consequence you -may not distribute the Program at all. For example, if a patent -license would not permit royalty-free redistribution of the Program by -all those who receive copies directly or indirectly through you, then -the only way you could satisfy both it and this License would be to -refrain entirely from distribution of the Program. - -If any portion of this section is held invalid or unenforceable under -any particular circumstance, the balance of the section is intended to -apply and the section as a whole is intended to apply in other -circumstances. - -It is not the purpose of this section to induce you to infringe any -patents or other property right claims or to contest validity of any -such claims; this section has the sole purpose of protecting the -integrity of the free software distribution system, which is -implemented by public license practices. Many people have made -generous contributions to the wide range of software distributed -through that system in reliance on consistent application of that -system; it is up to the author/donor to decide if he or she is willing -to distribute software through any other system and a licensee cannot -impose that choice. - -This section is intended to make thoroughly clear what is believed to -be a consequence of the rest of this License. - - 8. If the distribution and/or use of the Program is restricted in -certain countries either by patents or by copyrighted interfaces, the -original copyright holder who places the Program under this License -may add an explicit geographical distribution limitation excluding -those countries, so that distribution is permitted only in or among -countries not thus excluded. In such case, this License incorporates -the limitation as if written in the body of this License. - - 9. The Free Software Foundation may publish revised and/or new versions -of the General Public License from time to time. Such new versions will -be similar in spirit to the present version, but may differ in detail to -address new problems or concerns. - -Each version is given a distinguishing version number. If the Program -specifies a version number of this License which applies to it and "any -later version", you have the option of following the terms and conditions -either of that version or of any later version published by the Free -Software Foundation. If the Program does not specify a version number of -this License, you may choose any version ever published by the Free Software -Foundation. - - 10. If you wish to incorporate parts of the Program into other free -programs whose distribution conditions are different, write to the author -to ask for permission. For software which is copyrighted by the Free -Software Foundation, write to the Free Software Foundation; we sometimes -make exceptions for this. Our decision will be guided by the two goals -of preserving the free status of all derivatives of our free software and -of promoting the sharing and reuse of software generally. - - NO WARRANTY - - 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY -FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN -OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES -PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED -OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS -TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE -PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, -REPAIR OR CORRECTION. - - 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING -WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR -REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, -INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING -OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED -TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY -YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER -PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE -POSSIBILITY OF SUCH DAMAGES. - - END OF TERMS AND CONDITIONS - - How to Apply These Terms to Your New Programs - - If you develop a new program, and you want it to be of the greatest -possible use to the public, the best way to achieve this is to make it -free software which everyone can redistribute and change under these terms. - - To do so, attach the following notices to the program. It is safest -to attach them to the start of each source file to most effectively -convey the exclusion of warranty; and each file should have at least -the "copyright" line and a pointer to where the full notice is found. - - - Copyright (C) - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License along - with this program; if not, write to the Free Software Foundation, Inc., - 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - -Also add information on how to contact you by electronic and paper mail. - -If the program is interactive, make it output a short notice like this -when it starts in an interactive mode: - - Gnomovision version 69, Copyright (C) year name of author - Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. - This is free software, and you are welcome to redistribute it - under certain conditions; type `show c' for details. - -The hypothetical commands `show w' and `show c' should show the appropriate -parts of the General Public License. Of course, the commands you use may -be called something other than `show w' and `show c'; they could even be -mouse-clicks or menu items--whatever suits your program. - -You should also get your employer (if you work as a programmer) or your -school, if any, to sign a "copyright disclaimer" for the program, if -necessary. Here is a sample; alter the names: - - Yoyodyne, Inc., hereby disclaims all copyright interest in the program - `Gnomovision' (which makes passes at compilers) written by James Hacker. - - , 1 April 1989 - Ty Coon, President of Vice - -This General Public License does not permit incorporating your program into -proprietary programs. If your program is a subroutine library, you may -consider it more useful to permit linking proprietary applications with the -library. If this is what you want to do, use the GNU Lesser General -Public License instead of this License. diff --git a/docs/binary-release-license/LICENSE-fuse-overlayfs b/docs/binary-release-license/LICENSE-fuse-overlayfs deleted file mode 100644 index d159169..0000000 --- a/docs/binary-release-license/LICENSE-fuse-overlayfs +++ /dev/null @@ -1,339 +0,0 @@ - GNU GENERAL PUBLIC LICENSE - Version 2, June 1991 - - Copyright (C) 1989, 1991 Free Software Foundation, Inc., - 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - - Preamble - - The licenses for most software are designed to take away your -freedom to share and change it. By contrast, the GNU General Public -License is intended to guarantee your freedom to share and change free -software--to make sure the software is free for all its users. This -General Public License applies to most of the Free Software -Foundation's software and to any other program whose authors commit to -using it. (Some other Free Software Foundation software is covered by -the GNU Lesser General Public License instead.) You can apply it to -your programs, too. - - When we speak of free software, we are referring to freedom, not -price. Our General Public Licenses are designed to make sure that you -have the freedom to distribute copies of free software (and charge for -this service if you wish), that you receive source code or can get it -if you want it, that you can change the software or use pieces of it -in new free programs; and that you know you can do these things. - - To protect your rights, we need to make restrictions that forbid -anyone to deny you these rights or to ask you to surrender the rights. -These restrictions translate to certain responsibilities for you if you -distribute copies of the software, or if you modify it. - - For example, if you distribute copies of such a program, whether -gratis or for a fee, you must give the recipients all the rights that -you have. You must make sure that they, too, receive or can get the -source code. And you must show them these terms so they know their -rights. - - We protect your rights with two steps: (1) copyright the software, and -(2) offer you this license which gives you legal permission to copy, -distribute and/or modify the software. - - Also, for each author's protection and ours, we want to make certain -that everyone understands that there is no warranty for this free -software. If the software is modified by someone else and passed on, we -want its recipients to know that what they have is not the original, so -that any problems introduced by others will not reflect on the original -authors' reputations. - - Finally, any free program is threatened constantly by software -patents. We wish to avoid the danger that redistributors of a free -program will individually obtain patent licenses, in effect making the -program proprietary. To prevent this, we have made it clear that any -patent must be licensed for everyone's free use or not licensed at all. - - The precise terms and conditions for copying, distribution and -modification follow. - - GNU GENERAL PUBLIC LICENSE - TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION - - 0. This License applies to any program or other work which contains -a notice placed by the copyright holder saying it may be distributed -under the terms of this General Public License. The "Program", below, -refers to any such program or work, and a "work based on the Program" -means either the Program or any derivative work under copyright law: -that is to say, a work containing the Program or a portion of it, -either verbatim or with modifications and/or translated into another -language. (Hereinafter, translation is included without limitation in -the term "modification".) Each licensee is addressed as "you". - -Activities other than copying, distribution and modification are not -covered by this License; they are outside its scope. The act of -running the Program is not restricted, and the output from the Program -is covered only if its contents constitute a work based on the -Program (independent of having been made by running the Program). -Whether that is true depends on what the Program does. - - 1. You may copy and distribute verbatim copies of the Program's -source code as you receive it, in any medium, provided that you -conspicuously and appropriately publish on each copy an appropriate -copyright notice and disclaimer of warranty; keep intact all the -notices that refer to this License and to the absence of any warranty; -and give any other recipients of the Program a copy of this License -along with the Program. - -You may charge a fee for the physical act of transferring a copy, and -you may at your option offer warranty protection in exchange for a fee. - - 2. You may modify your copy or copies of the Program or any portion -of it, thus forming a work based on the Program, and copy and -distribute such modifications or work under the terms of Section 1 -above, provided that you also meet all of these conditions: - - a) You must cause the modified files to carry prominent notices - stating that you changed the files and the date of any change. - - b) You must cause any work that you distribute or publish, that in - whole or in part contains or is derived from the Program or any - part thereof, to be licensed as a whole at no charge to all third - parties under the terms of this License. - - c) If the modified program normally reads commands interactively - when run, you must cause it, when started running for such - interactive use in the most ordinary way, to print or display an - announcement including an appropriate copyright notice and a - notice that there is no warranty (or else, saying that you provide - a warranty) and that users may redistribute the program under - these conditions, and telling the user how to view a copy of this - License. (Exception: if the Program itself is interactive but - does not normally print such an announcement, your work based on - the Program is not required to print an announcement.) - -These requirements apply to the modified work as a whole. If -identifiable sections of that work are not derived from the Program, -and can be reasonably considered independent and separate works in -themselves, then this License, and its terms, do not apply to those -sections when you distribute them as separate works. But when you -distribute the same sections as part of a whole which is a work based -on the Program, the distribution of the whole must be on the terms of -this License, whose permissions for other licensees extend to the -entire whole, and thus to each and every part regardless of who wrote it. - -Thus, it is not the intent of this section to claim rights or contest -your rights to work written entirely by you; rather, the intent is to -exercise the right to control the distribution of derivative or -collective works based on the Program. - -In addition, mere aggregation of another work not based on the Program -with the Program (or with a work based on the Program) on a volume of -a storage or distribution medium does not bring the other work under -the scope of this License. - - 3. You may copy and distribute the Program (or a work based on it, -under Section 2) in object code or executable form under the terms of -Sections 1 and 2 above provided that you also do one of the following: - - a) Accompany it with the complete corresponding machine-readable - source code, which must be distributed under the terms of Sections - 1 and 2 above on a medium customarily used for software interchange; or, - - b) Accompany it with a written offer, valid for at least three - years, to give any third party, for a charge no more than your - cost of physically performing source distribution, a complete - machine-readable copy of the corresponding source code, to be - distributed under the terms of Sections 1 and 2 above on a medium - customarily used for software interchange; or, - - c) Accompany it with the information you received as to the offer - to distribute corresponding source code. (This alternative is - allowed only for noncommercial distribution and only if you - received the program in object code or executable form with such - an offer, in accord with Subsection b above.) - -The source code for a work means the preferred form of the work for -making modifications to it. For an executable work, complete source -code means all the source code for all modules it contains, plus any -associated interface definition files, plus the scripts used to -control compilation and installation of the executable. However, as a -special exception, the source code distributed need not include -anything that is normally distributed (in either source or binary -form) with the major components (compiler, kernel, and so on) of the -operating system on which the executable runs, unless that component -itself accompanies the executable. - -If distribution of executable or object code is made by offering -access to copy from a designated place, then offering equivalent -access to copy the source code from the same place counts as -distribution of the source code, even though third parties are not -compelled to copy the source along with the object code. - - 4. You may not copy, modify, sublicense, or distribute the Program -except as expressly provided under this License. Any attempt -otherwise to copy, modify, sublicense or distribute the Program is -void, and will automatically terminate your rights under this License. -However, parties who have received copies, or rights, from you under -this License will not have their licenses terminated so long as such -parties remain in full compliance. - - 5. You are not required to accept this License, since you have not -signed it. However, nothing else grants you permission to modify or -distribute the Program or its derivative works. These actions are -prohibited by law if you do not accept this License. Therefore, by -modifying or distributing the Program (or any work based on the -Program), you indicate your acceptance of this License to do so, and -all its terms and conditions for copying, distributing or modifying -the Program or works based on it. - - 6. Each time you redistribute the Program (or any work based on the -Program), the recipient automatically receives a license from the -original licensor to copy, distribute or modify the Program subject to -these terms and conditions. You may not impose any further -restrictions on the recipients' exercise of the rights granted herein. -You are not responsible for enforcing compliance by third parties to -this License. - - 7. If, as a consequence of a court judgment or allegation of patent -infringement or for any other reason (not limited to patent issues), -conditions are imposed on you (whether by court order, agreement or -otherwise) that contradict the conditions of this License, they do not -excuse you from the conditions of this License. If you cannot -distribute so as to satisfy simultaneously your obligations under this -License and any other pertinent obligations, then as a consequence you -may not distribute the Program at all. For example, if a patent -license would not permit royalty-free redistribution of the Program by -all those who receive copies directly or indirectly through you, then -the only way you could satisfy both it and this License would be to -refrain entirely from distribution of the Program. - -If any portion of this section is held invalid or unenforceable under -any particular circumstance, the balance of the section is intended to -apply and the section as a whole is intended to apply in other -circumstances. - -It is not the purpose of this section to induce you to infringe any -patents or other property right claims or to contest validity of any -such claims; this section has the sole purpose of protecting the -integrity of the free software distribution system, which is -implemented by public license practices. Many people have made -generous contributions to the wide range of software distributed -through that system in reliance on consistent application of that -system; it is up to the author/donor to decide if he or she is willing -to distribute software through any other system and a licensee cannot -impose that choice. - -This section is intended to make thoroughly clear what is believed to -be a consequence of the rest of this License. - - 8. If the distribution and/or use of the Program is restricted in -certain countries either by patents or by copyrighted interfaces, the -original copyright holder who places the Program under this License -may add an explicit geographical distribution limitation excluding -those countries, so that distribution is permitted only in or among -countries not thus excluded. In such case, this License incorporates -the limitation as if written in the body of this License. - - 9. The Free Software Foundation may publish revised and/or new versions -of the General Public License from time to time. Such new versions will -be similar in spirit to the present version, but may differ in detail to -address new problems or concerns. - -Each version is given a distinguishing version number. If the Program -specifies a version number of this License which applies to it and "any -later version", you have the option of following the terms and conditions -either of that version or of any later version published by the Free -Software Foundation. If the Program does not specify a version number of -this License, you may choose any version ever published by the Free Software -Foundation. - - 10. If you wish to incorporate parts of the Program into other free -programs whose distribution conditions are different, write to the author -to ask for permission. For software which is copyrighted by the Free -Software Foundation, write to the Free Software Foundation; we sometimes -make exceptions for this. Our decision will be guided by the two goals -of preserving the free status of all derivatives of our free software and -of promoting the sharing and reuse of software generally. - - NO WARRANTY - - 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY -FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN -OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES -PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED -OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS -TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE -PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, -REPAIR OR CORRECTION. - - 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING -WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR -REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, -INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING -OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED -TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY -YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER -PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE -POSSIBILITY OF SUCH DAMAGES. - - END OF TERMS AND CONDITIONS - - How to Apply These Terms to Your New Programs - - If you develop a new program, and you want it to be of the greatest -possible use to the public, the best way to achieve this is to make it -free software which everyone can redistribute and change under these terms. - - To do so, attach the following notices to the program. It is safest -to attach them to the start of each source file to most effectively -convey the exclusion of warranty; and each file should have at least -the "copyright" line and a pointer to where the full notice is found. - - - Copyright (C) - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License along - with this program; if not, write to the Free Software Foundation, Inc., - 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - -Also add information on how to contact you by electronic and paper mail. - -If the program is interactive, make it output a short notice like this -when it starts in an interactive mode: - - Gnomovision version 69, Copyright (C) year name of author - Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. - This is free software, and you are welcome to redistribute it - under certain conditions; type `show c' for details. - -The hypothetical commands `show w' and `show c' should show the appropriate -parts of the General Public License. Of course, the commands you use may -be called something other than `show w' and `show c'; they could even be -mouse-clicks or menu items--whatever suits your program. - -You should also get your employer (if you work as a programmer) or your -school, if any, to sign a "copyright disclaimer" for the program, if -necessary. Here is a sample; alter the names: - - Yoyodyne, Inc., hereby disclaims all copyright interest in the program - `Gnomovision' (which makes passes at compilers) written by James Hacker. - - , 1 April 1989 - Ty Coon, President of Vice - -This General Public License does not permit incorporating your program into -proprietary programs. If your program is a subroutine library, you may -consider it more useful to permit linking proprietary applications with the -library. If this is what you want to do, use the GNU Lesser General -Public License instead of this License. diff --git a/docs/binary-release-license/LICENSE-slirp4netns b/docs/binary-release-license/LICENSE-slirp4netns deleted file mode 100644 index 0315e41..0000000 --- a/docs/binary-release-license/LICENSE-slirp4netns +++ /dev/null @@ -1,280 +0,0 @@ - GNU GENERAL PUBLIC LICENSE - Version 2, June 1991 - - Copyright (C) 1989, 1991 Free Software Foundation, Inc. - 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - - Preamble - - The licenses for most software are designed to take away your -freedom to share and change it. By contrast, the GNU General Public -License is intended to guarantee your freedom to share and change free -software--to make sure the software is free for all its users. This -General Public License applies to most of the Free Software -Foundation's software and to any other program whose authors commit to -using it. (Some other Free Software Foundation software is covered by -the GNU Library General Public License instead.) You can apply it to -your programs, too. - - When we speak of free software, we are referring to freedom, not -price. Our General Public Licenses are designed to make sure that you -have the freedom to distribute copies of free software (and charge for -this service if you wish), that you receive source code or can get it -if you want it, that you can change the software or use pieces of it -in new free programs; and that you know you can do these things. - - To protect your rights, we need to make restrictions that forbid -anyone to deny you these rights or to ask you to surrender the rights. -These restrictions translate to certain responsibilities for you if you -distribute copies of the software, or if you modify it. - - For example, if you distribute copies of such a program, whether -gratis or for a fee, you must give the recipients all the rights that -you have. You must make sure that they, too, receive or can get the -source code. And you must show them these terms so they know their -rights. - - We protect your rights with two steps: (1) copyright the software, and -(2) offer you this license which gives you legal permission to copy, -distribute and/or modify the software. - - Also, for each author's protection and ours, we want to make certain -that everyone understands that there is no warranty for this free -software. If the software is modified by someone else and passed on, we -want its recipients to know that what they have is not the original, so -that any problems introduced by others will not reflect on the original -authors' reputations. - - Finally, any free program is threatened constantly by software -patents. We wish to avoid the danger that redistributors of a free -program will individually obtain patent licenses, in effect making the -program proprietary. To prevent this, we have made it clear that any -patent must be licensed for everyone's free use or not licensed at all. - - The precise terms and conditions for copying, distribution and -modification follow. - - GNU GENERAL PUBLIC LICENSE - TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION - - 0. This License applies to any program or other work which contains -a notice placed by the copyright holder saying it may be distributed -under the terms of this General Public License. The "Program", below, -refers to any such program or work, and a "work based on the Program" -means either the Program or any derivative work under copyright law: -that is to say, a work containing the Program or a portion of it, -either verbatim or with modifications and/or translated into another -language. (Hereinafter, translation is included without limitation in -the term "modification".) Each licensee is addressed as "you". - -Activities other than copying, distribution and modification are not -covered by this License; they are outside its scope. The act of -running the Program is not restricted, and the output from the Program -is covered only if its contents constitute a work based on the -Program (independent of having been made by running the Program). -Whether that is true depends on what the Program does. - - 1. You may copy and distribute verbatim copies of the Program's -source code as you receive it, in any medium, provided that you -conspicuously and appropriately publish on each copy an appropriate -copyright notice and disclaimer of warranty; keep intact all the -notices that refer to this License and to the absence of any warranty; -and give any other recipients of the Program a copy of this License -along with the Program. - -You may charge a fee for the physical act of transferring a copy, and -you may at your option offer warranty protection in exchange for a fee. - - 2. You may modify your copy or copies of the Program or any portion -of it, thus forming a work based on the Program, and copy and -distribute such modifications or work under the terms of Section 1 -above, provided that you also meet all of these conditions: - - a) You must cause the modified files to carry prominent notices - stating that you changed the files and the date of any change. - - b) You must cause any work that you distribute or publish, that in - whole or in part contains or is derived from the Program or any - part thereof, to be licensed as a whole at no charge to all third - parties under the terms of this License. - - c) If the modified program normally reads commands interactively - when run, you must cause it, when started running for such - interactive use in the most ordinary way, to print or display an - announcement including an appropriate copyright notice and a - notice that there is no warranty (or else, saying that you provide - a warranty) and that users may redistribute the program under - these conditions, and telling the user how to view a copy of this - License. (Exception: if the Program itself is interactive but - does not normally print such an announcement, your work based on - the Program is not required to print an announcement.) - -These requirements apply to the modified work as a whole. If -identifiable sections of that work are not derived from the Program, -and can be reasonably considered independent and separate works in -themselves, then this License, and its terms, do not apply to those -sections when you distribute them as separate works. But when you -distribute the same sections as part of a whole which is a work based -on the Program, the distribution of the whole must be on the terms of -this License, whose permissions for other licensees extend to the -entire whole, and thus to each and every part regardless of who wrote it. - -Thus, it is not the intent of this section to claim rights or contest -your rights to work written entirely by you; rather, the intent is to -exercise the right to control the distribution of derivative or -collective works based on the Program. - -In addition, mere aggregation of another work not based on the Program -with the Program (or with a work based on the Program) on a volume of -a storage or distribution medium does not bring the other work under -the scope of this License. - - 3. You may copy and distribute the Program (or a work based on it, -under Section 2) in object code or executable form under the terms of -Sections 1 and 2 above provided that you also do one of the following: - - a) Accompany it with the complete corresponding machine-readable - source code, which must be distributed under the terms of Sections - 1 and 2 above on a medium customarily used for software interchange; or, - - b) Accompany it with a written offer, valid for at least three - years, to give any third party, for a charge no more than your - cost of physically performing source distribution, a complete - machine-readable copy of the corresponding source code, to be - distributed under the terms of Sections 1 and 2 above on a medium - customarily used for software interchange; or, - - c) Accompany it with the information you received as to the offer - to distribute corresponding source code. (This alternative is - allowed only for noncommercial distribution and only if you - received the program in object code or executable form with such - an offer, in accord with Subsection b above.) - -The source code for a work means the preferred form of the work for -making modifications to it. For an executable work, complete source -code means all the source code for all modules it contains, plus any -associated interface definition files, plus the scripts used to -control compilation and installation of the executable. However, as a -special exception, the source code distributed need not include -anything that is normally distributed (in either source or binary -form) with the major components (compiler, kernel, and so on) of the -operating system on which the executable runs, unless that component -itself accompanies the executable. - -If distribution of executable or object code is made by offering -access to copy from a designated place, then offering equivalent -access to copy the source code from the same place counts as -distribution of the source code, even though third parties are not -compelled to copy the source along with the object code. - - 4. You may not copy, modify, sublicense, or distribute the Program -except as expressly provided under this License. Any attempt -otherwise to copy, modify, sublicense or distribute the Program is -void, and will automatically terminate your rights under this License. -However, parties who have received copies, or rights, from you under -this License will not have their licenses terminated so long as such -parties remain in full compliance. - - 5. You are not required to accept this License, since you have not -signed it. However, nothing else grants you permission to modify or -distribute the Program or its derivative works. These actions are -prohibited by law if you do not accept this License. Therefore, by -modifying or distributing the Program (or any work based on the -Program), you indicate your acceptance of this License to do so, and -all its terms and conditions for copying, distributing or modifying -the Program or works based on it. - - 6. Each time you redistribute the Program (or any work based on the -Program), the recipient automatically receives a license from the -original licensor to copy, distribute or modify the Program subject to -these terms and conditions. You may not impose any further -restrictions on the recipients' exercise of the rights granted herein. -You are not responsible for enforcing compliance by third parties to -this License. - - 7. If, as a consequence of a court judgment or allegation of patent -infringement or for any other reason (not limited to patent issues), -conditions are imposed on you (whether by court order, agreement or -otherwise) that contradict the conditions of this License, they do not -excuse you from the conditions of this License. If you cannot -distribute so as to satisfy simultaneously your obligations under this -License and any other pertinent obligations, then as a consequence you -may not distribute the Program at all. For example, if a patent -license would not permit royalty-free redistribution of the Program by -all those who receive copies directly or indirectly through you, then -the only way you could satisfy both it and this License would be to -refrain entirely from distribution of the Program. - -If any portion of this section is held invalid or unenforceable under -any particular circumstance, the balance of the section is intended to -apply and the section as a whole is intended to apply in other -circumstances. - -It is not the purpose of this section to induce you to infringe any -patents or other property right claims or to contest validity of any -such claims; this section has the sole purpose of protecting the -integrity of the free software distribution system, which is -implemented by public license practices. Many people have made -generous contributions to the wide range of software distributed -through that system in reliance on consistent application of that -system; it is up to the author/donor to decide if he or she is willing -to distribute software through any other system and a licensee cannot -impose that choice. - -This section is intended to make thoroughly clear what is believed to -be a consequence of the rest of this License. - - 8. If the distribution and/or use of the Program is restricted in -certain countries either by patents or by copyrighted interfaces, the -original copyright holder who places the Program under this License -may add an explicit geographical distribution limitation excluding -those countries, so that distribution is permitted only in or among -countries not thus excluded. In such case, this License incorporates -the limitation as if written in the body of this License. - - 9. The Free Software Foundation may publish revised and/or new versions -of the General Public License from time to time. Such new versions will -be similar in spirit to the present version, but may differ in detail to -address new problems or concerns. - -Each version is given a distinguishing version number. If the Program -specifies a version number of this License which applies to it and "any -later version", you have the option of following the terms and conditions -either of that version or of any later version published by the Free -Software Foundation. If the Program does not specify a version number of -this License, you may choose any version ever published by the Free Software -Foundation. - - 10. If you wish to incorporate parts of the Program into other free -programs whose distribution conditions are different, write to the author -to ask for permission. For software which is copyrighted by the Free -Software Foundation, write to the Free Software Foundation; we sometimes -make exceptions for this. Our decision will be guided by the two goals -of preserving the free status of all derivatives of our free software and -of promoting the sharing and reuse of software generally. - - NO WARRANTY - - 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY -FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN -OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES -PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED -OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS -TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE -PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, -REPAIR OR CORRECTION. - - 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING -WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR -REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, -INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING -OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED -TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY -YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER -PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE -POSSIBILITY OF SUCH DAMAGES. - - END OF TERMS AND CONDITIONS diff --git a/hack/create-hosts-lxc.sh b/hack/create-hosts-lxc.sh new file mode 100755 index 0000000..31027e9 --- /dev/null +++ b/hack/create-hosts-lxc.sh @@ -0,0 +1,55 @@ +#!/bin/bash +set -eux -o pipefail +if [ "$#" -lt 2 ]; then + echo "Usage: $0 DIR INST..." + exit 1 +fi +dir=$1 +shift +names=$* + +echo "DIR=${dir}" +echo "INST=${names}" + +mkdir -p "${dir}" + +prvkey="${dir}/ssh_key" +pubkey="${prvkey}.pub" + +if [ ! -e "${pubkey}" ]; then + ssh-keygen -f "${prvkey}" -q -N "" +fi +ssh_config="${dir}/ssh_config" +echo "IdentityFile ${prvkey}" >"${ssh_config}" + +userdata="${dir}/user-data" +if [ ! -e "${userdata}" ]; then + cat <"${userdata}" +#cloud-config +users: + - name: "${USER}" + shell: /bin/bash + ssh-authorized-keys: + - $(cat "${pubkey}") + - name: "${USER}-sudo" + shell: /bin/bash + ssh-authorized-keys: + - $(cat "${pubkey}") + sudo: ALL=(ALL) NOPASSWD:ALL +EOF +fi + +for name in ${names}; do + lxc init ubuntu:22.04 "${name}" -c security.privileged=true -c security.nesting=true + lxc config device add "${name}" bind-boot disk source=/boot path=/boot readonly=true + lxc config set "${name}" user.user-data - <"${userdata}" + lxc start "${name}" + sleep 10 + ip="$(lxc exec "${name}" -- ip --json route get 1 | jq -r .[0].prefsrc)" + echo "Host ${name}" >>"${ssh_config}" + echo " Hostname ${ip}" >>"${ssh_config}" + ssh-copy-id -F "${ssh_config}" -o StrictHostKeyChecking=no "${name}" +done + +echo "======" +echo "SSH_CONFIG=${ssh_config}" diff --git a/hack/etc_systemd_system_user@.service.d_delegate.conf b/hack/etc_systemd_system_user@.service.d_delegate.conf deleted file mode 100644 index 7e409de..0000000 --- a/hack/etc_systemd_system_user@.service.d_delegate.conf +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -Delegate=yes diff --git a/hack/init-host.root.sh b/hack/init-host.root.sh new file mode 100755 index 0000000..3cb0a58 --- /dev/null +++ b/hack/init-host.root.sh @@ -0,0 +1,23 @@ +#!/bin/bash +set -eux -o pipefail + +if [ "$(id -u)" != "0" ]; then + echo "Must run as the root" + exit 1 +fi + +if [ ! -e /etc/systemd/system/user@.service.d/delegate.conf ]; then + mkdir -p /etc/systemd/system/user@.service.d + cat </etc/systemd/system/user@.service.d/delegate.conf +[Service] +Delegate=cpu cpuset io memory pids +EOF + systemctl daemon-reload +fi + +apt-get install -y uidmap make jq + +if ! command -v dockerd-rootless-setuptool.sh >/dev/null 2>&1; then + curl https://get.docker.com | sh +fi +systemctl disable --now docker diff --git a/hack/init-host.rootless.sh b/hack/init-host.rootless.sh new file mode 100755 index 0000000..bffccdc --- /dev/null +++ b/hack/init-host.rootless.sh @@ -0,0 +1,10 @@ +#!/bin/bash +set -eux -o pipefail + +if [ "$(id -u)" == "0" ]; then + echo "Must not run as the root" + exit 1 +fi + +dockerd-rootless-setuptool.sh install +docker info diff --git a/hack/show-latest-commits.sh b/hack/show-latest-commits.sh deleted file mode 100755 index a47d392..0000000 --- a/hack/show-latest-commits.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/bash -set -eu -o pipefail - -x() { - name=$1 - repo=$2 - revision=$3 - json=$(curl -s https://api.github.com/repos/${repo}/commits/${revision}) - sha=$(echo $json | jq -r .sha) - date=$(echo $json | jq -r .commit.committer.date) - echo "# ${date}" - echo "ARG ${name}_COMMIT=${sha}" -} - -x ROOTLESSKIT rootless-containers/rootlesskit master -x CONTAINERD containerd/containerd main -x CRIO cri-o/cri-o main -# x KUBE_NODE kubernetes/kubernetes master diff --git a/hack/smoketest-binaries.sh b/hack/smoketest-binaries.sh deleted file mode 100755 index 72be920..0000000 --- a/hack/smoketest-binaries.sh +++ /dev/null @@ -1,41 +0,0 @@ -#!/bin/bash -source $(realpath $(dirname $0))/smoketest-common.inc.sh -cd $(realpath $(dirname $0)/..) -function cleanup() { - $(pwd)/show-status.sh - $(pwd)/uninstall.sh || true - eval $($(pwd)/show-cleanup-command.sh) || true -} -trap cleanup EXIT - -set -x -./install.sh $@ - -export KUBECONFIG=$HOME/.config/usernetes/master/admin-localhost.kubeconfig -export PATH=$(pwd)/bin:$PATH - -if ! timeout 60 sh -exc 'until [ $(kubectl get nodes | grep "Ready" | grep -v "NotReady" | wc -l) = "1" ]; do sleep 10; done'; then - ERROR "Node is not ready." - set -x - set +eu - systemctl --user status u7s-kube-apiserver - kubectl get nodes -o wide - kubectl get nodes -o yaml - journalctl -xe --no-pager - exit 1 -fi - -kubectl get nodes -o wide -if ! timeout 60 kubectl run --rm -i --image busybox --restart=Never hello echo hello; then - ERROR "Pod is not ready." - set -x - set +eu - kubectl get pods -o yaml - kubectl get nodes -o yaml - journalctl -xe --no-pager - exit 1 -fi - -smoketest_dns - -smoketest_limits diff --git a/hack/smoketest-docker-compose.sh b/hack/smoketest-docker-compose.sh deleted file mode 100755 index 8b4da4e..0000000 --- a/hack/smoketest-docker-compose.sh +++ /dev/null @@ -1,82 +0,0 @@ -#!/bin/bash -source $(realpath $(dirname $0))/smoketest-common.inc.sh -cd $(realpath $(dirname $0)/..) -tmpdir=$(mktemp -d) -function cleanup() { - set -x - make down - rm -rf $tmpdir -} -trap cleanup EXIT - -INFO "Creating the cluster" -make _up -master="usernetes_master_1" -nodes="2" - -export KUBECONFIG="$HOME/.config/usernetes/docker-compose.kubeconfig" -docker cp $master:/home/user/usernetes/bin/kubectl $tmpdir/kubectl -chmod +x $tmpdir/kubectl -export PATH=$tmpdir:$PATH - -INFO "Waiting for master ($master) to be ready." -if ! timeout 60 sh -exc "until [ \$(docker inspect -f '{{.State.Health.Status}}' $master) = \"healthy\" ]; do sleep 10; done"; then - ERROR "Master is unhealthy." - set -x - docker logs $master - exit 1 -fi - -INFO "Waiting for $nodes nodes to be ready." -if ! timeout 120 sh -exc "until [ \$(kubectl get nodes | grep \"Ready\" | grep -v \"NotReady\" | wc -l) = \"$nodes\" ]; do sleep 10; done"; then - ERROR "Nodes are not ready." - set -x - kubectl get nodes -o wide - kubectl get nodes -o yaml - exit 1 -fi -kubectl get nodes -o wide - -app="nginx" -image="nginx:alpine" -INFO "Creating $app app" -kubectl create deployment $app --image=$image -kubectl scale deployment --replicas=$nodes $app -if ! timeout 60 sh -exc "until [ \$(kubectl get pods -o json -l app=$app | jq -r \".items[].status.phase\" | grep -x \"Running\" | wc -l) = \"$nodes\" ]; do sleep 10; done"; then - ERROR "Pods are not running." - set -x - kubectl get pods -o wide -l app=$app - kubectl get pods -o yaml -l app=$app - exit 1 -fi -kubectl get pods -o wide -if ! [ $(kubectl get pods -o json -l app=$app | jq -r ".items[].spec.nodeName" | sort | uniq | wc -l) = "$nodes" ]; then - ERROR "Pod replicas are not scaled across the nodes." - set -x - kubectl get pods -o wide -l app=$app - kubectl get pods -o yaml -l app=$app - kubectl get nodes -o wide - kubectl get nodes -o yaml - exit 1 -fi - -INFO "Creating the shell pod." -kubectl run --restart=Never --image=alpine shell sleep infinity -if ! timeout 60 sh -exc 'until kubectl get pods -o json shell | jq -r ".status.phase" | grep -x "Running" ;do sleep 10; done'; then - ERROR "The shell pod is not running." - set -x - kubectl get pods -o wide shell - kubectl get pods -o yaml shell - exit 1 -fi -kubectl get pods -o wide - -INFO "Connecting from the shell pod to the $app pods by IP." -for ip in $(kubectl get pods -o json -l app=$app | jq -r ".items[].status.podIP"); do - INFO "Connecting to $ip." - kubectl exec shell -- wget -O- $ip -done - -smoketest_dns - -INFO "PASS" diff --git a/hack/smoketest-docker.sh b/hack/smoketest-docker.sh deleted file mode 100755 index 8716f9f..0000000 --- a/hack/smoketest-docker.sh +++ /dev/null @@ -1,47 +0,0 @@ -#!/bin/bash -set -eu -o pipefail -source $(realpath $(dirname $0))/smoketest-common.inc.sh -if [[ $# -lt 3 ]]; then - echo "Usage: $0 NAME IMAGE ARGS" - exit 1 -fi - -cd $(realpath $(dirname $0)/..) -container=$1 -image=$2 -shift 2 -args=$@ - -set -x -tmpdir=$(mktemp -d) -docker run -td --name $container -p 127.0.0.1:6443:6443 --privileged $image $args -function cleanup() { - docker rm -f $container - rm -rf $tmpdir -} -trap cleanup EXIT - -if ! timeout 60 sh -exc "until [ \$(docker inspect -f '{{.State.Health.Status}}' $container) = \"healthy\" ]; do sleep 10; done"; then - docker logs $container - exit 1 -fi - -docker cp $container:/home/user/.config/usernetes/master/admin-localhost.kubeconfig $tmpdir/admin-localhost.kubeconfig -export KUBECONFIG=$tmpdir/admin-localhost.kubeconfig - -mkdir -p $tmpdir/bin -docker cp $container:/home/user/usernetes/bin/kubectl $tmpdir/bin/kubectl -chmod +x $tmpdir/bin/kubectl -export PATH=$tmpdir/bin:$PATH - -kubectl get nodes -o wide -: "FIXME remove this sleep" -sleep 30 -if ! timeout 60 time kubectl run --rm -i --image busybox --restart=Never hello echo hello $container; then - kubectl get pods -o yaml - kubectl get nodes -o yaml - docker logs $container - exit 1 -fi - -smoketest_dns diff --git a/hack/smoketest-manifests/test-limits.yaml b/hack/smoketest-manifests/test-limits.yaml deleted file mode 100644 index fbb51d5..0000000 --- a/hack/smoketest-manifests/test-limits.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: test-limits -spec: - containers: - - name: test-limits - image: alpine - command: ["top"] - resources: - limits: - cpu: 420m - memory: 42Mi diff --git a/hack/smoketest-common.inc.sh b/hack/test-smoke.sh old mode 100644 new mode 100755 similarity index 50% rename from hack/smoketest-common.inc.sh rename to hack/test-smoke.sh index 8eb6547..166615c --- a/hack/smoketest-common.inc.sh +++ b/hack/test-smoke.sh @@ -1,24 +1,13 @@ #!/bin/bash set -eu -o pipefail -function INFO() { +INFO() { echo -e "\e[104m\e[97m[INFO]\e[49m\e[39m $@" } -function ERROR() { - echo >&2 -e "\e[101m\e[97m[ERROR]\e[49m\e[39m $@" -} - -function util::wait_for_pod() { - name="$1" - if ! timeout 60 sh -exc "until kubectl get pods -o json $name | jq -r \".status.phase\" | grep -x \"Running\" ;do sleep 10; done"; then - ERROR "The $name pod is not running." - set -x - kubectl get pods -o wide $name - kubectl get pods -o yaml $name - exit 1 - fi -} +for node in $(kubectl get node -o name); do + kubectl wait --for=condition=ready "${node}" +done function smoketest_dns() { INFO "Creating StatefulSet \"dnstest\" and headless Service \"dnstest\"" @@ -62,16 +51,7 @@ spec: - containerPort: 80 EOF INFO "Waiting for 3 replicas to be ready" - if ! timeout 90 sh -exc "until [ \$(kubectl get pods --field-selector status.phase=Running -l run=dnstest -o name | wc -l) = "3" ]; do sleep 10; done"; then - ERROR "Pods are not ready." - set -x - kubectl get pods -o wide - kubectl get pods -o yaml - exit 1 - fi - - INFO "FIXME: remove this sleep" - sleep 10 + kubectl rollout status statefulset INFO "Connecting to dnstest-{0,1,2}.dnstest.default.svc.cluster.local" kubectl run -i --rm --image=alpine --restart=Never dnstest-shell -- sh -exc 'for f in $(seq 0 2); do wget -O- http://dnstest-${f}.dnstest.default.svc.cluster.local; done' @@ -82,17 +62,4 @@ EOF kubectl delete statefulset dnstest } -function smoketest_limits() { - INFO "Creating Pod \"test-limits\"" - kubectl apply -f hack/smoketest-manifests/test-limits.yaml - util::wait_for_pod test-limits - - INFO "Testing memory limit (42 Mib)" - [ "$(kubectl exec test-limits -- cat /sys/fs/cgroup/memory.max)" = "$((1024 * 1024 * 42))" ] - - INFO "Testing CPU limit (0.42 cores)" - [ "$(kubectl exec test-limits -- cat /sys/fs/cgroup/cpu.max)" = "42000 100000" ] - - INFO "Deleting Pod \"test-limits\"" - kubectl delete pod test-limits -} +smoketest_dns diff --git a/hack/translate-dockerfile-runopt-directive.sh b/hack/translate-dockerfile-runopt-directive.sh deleted file mode 100755 index 013be2b..0000000 --- a/hack/translate-dockerfile-runopt-directive.sh +++ /dev/null @@ -1,29 +0,0 @@ -#!/bin/bash - -# Input: -# FROM ... -# ... -# # runopt = --mount=type=cache,target=/root/.cache -# RUN foo - -# Output: -# # syntax = docker/dockerfile:1-experimental -# FROM ... -# ... -# RUN --mount=type=cache,target=/root/.cache foo - -echo '# syntax = docker/dockerfile:1-experimental' - -last_runopt="" -while IFS="" read -r line || [[ -n $line ]]; do - run=$(echo $line | grep -ioP '^\s*RUN\s+\K.+') - printed="" - if [[ -n $run && -n $last_runopt ]]; then - echo "RUN $last_runopt $run" - printed=1 - fi - last_runopt=$(echo $line | grep -ioP '^#\s*runopt\s*=\s*\K.+') - if [[ -z $last_runopt && -z $printed ]]; then - echo "$line" - fi -done diff --git a/install.sh b/install.sh deleted file mode 100755 index abf68a6..0000000 --- a/install.sh +++ /dev/null @@ -1,470 +0,0 @@ -#!/bin/bash -set -e -o pipefail - -function INFO() { - echo -e "\e[104m\e[97m[INFO]\e[49m\e[39m $@" -} - -function WARNING() { - echo >&2 -e "\e[101m\e[97m[WARNING]\e[49m\e[39m $@" -} - -function ERROR() { - echo >&2 -e "\e[101m\e[97m[ERROR]\e[49m\e[39m $@" -} - -### Detect base dir -cd $(dirname $0) -base=$(realpath $(pwd)) - -### Detect bin dir, fail early if not found -if [ ! -d "$base/bin" ]; then - ERROR "Usernetes binaries not found. Run \`make\` to build binaries. If you are looking for binary distribution of Usernetes, see https://github.com/rootless-containers/usernetes/releases ." - exit 1 -fi - -### Detect config dir -set +u -if [ -z "$HOME" ]; then - ERROR "HOME needs to be set" - exit 1 -fi -config_dir="$HOME/.config" -if [ -n "$XDG_CONFIG_HOME" ]; then - config_dir="$XDG_CONFIG_HOME" -fi -set -u - -### Parse args -arg0=$0 -start="u7s.target" -cri="containerd" -cni="" -publish="" -publish_default="0.0.0.0:6443:6443/tcp" -cidr="10.0.42.0/24" -delay="" -wait_init_certs="" -function usage() { - echo "Usage: ${arg0} [OPTION]..." - echo "Install Usernetes systemd units to ${config_dir}/systemd/unit ." - echo - echo " --start=UNIT Enable and start the specified target after the installation, e.g. \"u7s.target\". Set to an empty to disable autostart. (Default: \"$start\")" - echo " --cri=RUNTIME Specify CRI runtime, \"containerd\" or \"crio\". (Default: \"$cri\")" - echo ' --cni=RUNTIME Specify CNI, an empty string (none) or "flannel". (Default: none)' - echo " -p, --publish=PORT Publish ports in RootlessKit's network namespace, e.g. \"0.0.0.0:10250:10250/tcp\". Can be specified multiple times. (Default: \"${publish_default}\")" - echo " --cidr=CIDR Specify CIDR of RootlessKit's network namespace, e.g. \"10.0.100.0/24\". (Default: \"$cidr\")" - echo - echo "Examples:" - echo " # The default options" - echo " ${arg0}" - echo - echo " # Use CRI-O as the CRI runtime" - echo " ${arg0} --cri=crio" - echo - echo 'Use `uninstall.sh` for uninstallation.' - echo 'For an example of multi-node cluster with flannel, see docker-compose.yaml' - echo - echo 'Hint: `sudo loginctl enable-linger` to start user services automatically on the system start up.' -} - -set +e -args=$(getopt -o hp: --long help,publish:,start:,cri:,cni:,cidr:,,delay:,wait-init-certs -n $arg0 -- "$@") -getopt_status=$? -set -e -if [ $getopt_status != 0 ]; then - usage - exit $getopt_status -fi -eval set -- "$args" -while true; do - case "$1" in - -h | --help) - usage - exit 0 - shift - ;; - -p | --publish) - publish="$publish $2" - shift 2 - ;; - --start) - start="$2" - shift 2 - ;; - --cri) - cri="$2" - case "$cri" in - "" | containerd | crio) ;; - - *) - ERROR "Unknown CRI runtime \"$cri\". Supported values: \"containerd\" (default) \"crio\" \"\"." - exit 1 - ;; - esac - shift 2 - ;; - --cni) - cni="$2" - case "$cni" in - "" | "flannel") ;; - - *) - ERROR "Unknown CNI \"$cni\". Supported values: \"\" (default) \"flannel\" ." - exit 1 - ;; - esac - shift 2 - ;; - --cidr) - cidr="$2" - shift 2 - ;; - --delay) - # HIDDEN FLAG. DO NO SPECIFY MANUALLY. - delay="$2" - shift 2 - ;; - --wait-init-certs) - # HIDDEN FLAG FOR DOCKER COMPOSE. DO NO SPECIFY MANUALLY. - wait_init_certs=1 - shift 1 - ;; - --) - shift - break - ;; - *) - break - ;; - esac -done - -# set default --publish if none was specified -if [[ -z "$publish" ]]; then - publish=$publish_default -fi - -# check cgroup config -if [[ ! -f /sys/fs/cgroup/cgroup.controllers ]]; then - ERROR "Needs cgroup v2, see https://rootlesscontaine.rs/getting-started/common/cgroup2/" - exit 1 -else - f="/sys/fs/cgroup/user.slice/user-$(id -u).slice/user@$(id -u).service/cgroup.controllers" - if [[ ! -f $f ]]; then - ERROR "systemd not running? file not found: $f" - exit 1 - fi - if ! grep -q cpu $f; then - WARNING "cpu controller might not be enabled, you need to configure /etc/systemd/system/user@.service.d , see https://rootlesscontaine.rs/getting-started/common/cgroup2/" - elif ! grep -q memory $f; then - WARNING "memory controller might not be enabled, you need to configure /etc/systemd/system/user@.service.d , see https://rootlesscontaine.rs/getting-started/common/cgroup2/" - else - INFO "Rootless cgroup (v2) is supported" - fi -fi - -# check kernel modules -for f in $(cat ${base}/config/modules-load.d/usernetes.conf); do - if ! grep -qw "^$f" /proc/modules; then - WARNING "Kernel module $f not loaded" - fi -done - -# Delay for debugging -if [[ -n "$delay" ]]; then - INFO "Delay: $delay seconds..." - sleep "$delay" -fi - -### Create EnvironmentFile (~/.config/usernetes/env) -mkdir -p ${config_dir}/usernetes -cat /dev/null >${config_dir}/usernetes/env -cat <>${config_dir}/usernetes/env -U7S_ROOTLESSKIT_PORTS=${publish} -EOF -if [ "$cni" = "flannel" ]; then - cat <>${config_dir}/usernetes/env -U7S_FLANNEL=1 -EOF -fi -if [ -n "$cidr" ]; then - cat <>${config_dir}/usernetes/env -U7S_ROOTLESSKIT_FLAGS=--cidr=${cidr} -EOF -fi - -if [[ -n "$wait_init_certs" ]]; then - max_trial=300 - INFO "Waiting for certs to be created.": - for ((i = 0; i < max_trial; i++)); do - if [[ -f ${config_dir}/usernetes/node/done || -f ${config_dir}/usernetes/master/done ]]; then - echo "OK" - break - fi - echo -n . - sleep 5 - done -elif [[ ! -d ${config_dir}/usernetes/master ]]; then - ### If the keys are not generated yet, generate them for the single-node cluster - INFO "Generating single-node cluster TLS keys (${config_dir}/usernetes/{master,node})" - cfssldir=$(mktemp -d /tmp/cfssl.XXXXXXXXX) - master=127.0.0.1 - node=$(hostname) - ${base}/common/cfssl.sh --dir=${cfssldir} --master=$master --node=$node,127.0.0.1 - rm -rf ${config_dir}/usernetes/{master,node} - cp -r "${cfssldir}/master" ${config_dir}/usernetes/master - cp -r "${cfssldir}/nodes.$node" ${config_dir}/usernetes/node - rm -rf "${cfssldir}" -fi - -### Begin installation -INFO "Base dir: ${base}" -mkdir -p ${config_dir}/systemd/user -function x() { - name=$1 - path=${config_dir}/systemd/user/${name} - INFO "Installing $path" - cat >$path -} - -service_common="WorkingDirectory=${base} -EnvironmentFile=${config_dir}/usernetes/env -Restart=on-failure -LimitNOFILE=65536 -" - -### u7s -cat <