Merge "Docker: Run docker without iptables"

tools/gate/playbooks/build-images/tasks/kubeadm-aio.yaml

@@ -12,6 +12,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+#NOTE(portdirect): Untill https://github.com/ansible/ansible/issues/21433 is
+# reolved, we build with a shell script to make use of the host network.
 - name: Kubeadm-AIO build
   block:
     #NOTE(portdirect): we do this to ensure we are feeding the docker build
@@ -19,17 +21,33 @@
     - name: Kubeadm-AIO image build path
       shell: cd "{{ work_dir }}"; pwd
       register: kubeadm_aio_path
-    - name: build the Kubeadm-AIO image
+    # - name: build the Kubeadm-AIO image
-      docker_image:
+    #   docker_image:
-         path: "{{ kubeadm_aio_path.stdout }}/"
+    #      path: "{{ kubeadm_aio_path.stdout }}/"
-         name: "{{ images.kubernetes.kubeadm_aio }}"
+    #      name: "{{ images.kubernetes.kubeadm_aio }}"
-         dockerfile: "tools/images/kubeadm-aio/Dockerfile"
+    #      dockerfile: "tools/images/kubeadm-aio/Dockerfile"
-         force: yes
+    #      force: yes
-         pull: yes
+    #      pull: yes
-         state: present
+    #      state: present
-         rm: yes
+    #      rm: yes
-         buildargs:
+    #      buildargs:
-           KUBE_VERSION: "{{ version.kubernetes }}"
+    #        KUBE_VERSION: "{{ version.kubernetes }}"
-           CNI_VERSION: "{{ version.cni }}"
+    #        CNI_VERSION: "{{ version.cni }}"
-           HELM_VERSION: "{{ version.helm }}"
+    #        HELM_VERSION: "{{ version.helm }}"
-           CHARTS: "calico,flannel,tiller,kube-dns"
+    #        CHARTS: "calico,flannel,tiller,kube-dns"
+    - name: Kubeadm-AIO image build path
+      shell: |-
+              set -e
+              docker build \
+                --network host \
+                --force-rm \
+                --tag "{{ images.kubernetes.kubeadm_aio }}" \
+                --file tools/images/kubeadm-aio/Dockerfile \
+                --build-arg KUBE_VERSION="{{ version.kubernetes }}" \
+                --build-arg CNI_VERSION="{{ version.cni }}" \
+                --build-arg HELM_VERSION="{{ version.helm }}" \
+                --build-arg CHARTS="calico,flannel,tiller,kube-dns" \
+                .
+      args:
+        chdir: "{{ kubeadm_aio_path.stdout }}/"
+        executable: /bin/bash

tools/gate/playbooks/deploy-docker/tasks/main.yaml

@@ -17,18 +17,6 @@
   register: need_docker
   ignore_errors: True
 
-- name: deploy docker packages
-  when: need_docker | failed
-  include_role:
-    name: deploy-package
-    tasks_from: dist
-  vars:
-    packages:
-      deb:
-        - docker.io
-      rpm:
-        - docker-latest
-
 - name: centos | moving systemd unit into place
   when: ( ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux' ) and ( need_docker | failed )
   template:
@@ -43,6 +31,25 @@
     dest: /etc/systemd/system/docker.service
     mode: 0640
 
+- name: ubuntu | moving systemd unit into place
+  when: ( ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' ) and ( need_docker | failed )
+  template:
+    src: ubuntu-docker.service.j2
+    dest: /etc/systemd/system/docker.service
+    mode: 0640
+
+- name: deploy docker packages
+  when: need_docker | failed
+  include_role:
+    name: deploy-package
+    tasks_from: dist
+  vars:
+    packages:
+      deb:
+        - docker.io
+      rpm:
+        - docker-latest
+
 - name: restarting docker
   systemd:
     state: restarted

tools/gate/playbooks/deploy-docker/templates/centos-docker.service.j2

@@ -17,7 +17,8 @@ ExecStart=/usr/bin/dockerd-latest \
           --userland-proxy-path=/usr/libexec/docker/docker-proxy-latest \
           -g /var/lib/docker \
           --storage-driver=overlay \
-          --log-driver=json-file
+          --log-driver=json-file \
+          --iptables=false
 ExecReload=/bin/kill -s HUP $MAINPID
 LimitNOFILE=1048576
 LimitNPROC=1048576

tools/gate/playbooks/deploy-docker/templates/fedora-docker.service.j2

@@ -16,7 +16,8 @@ ExecStart=/usr/bin/dockerd-latest \
           --userland-proxy-path=/usr/libexec/docker/docker-proxy-latest \
           -g /var/lib/docker \
           --storage-driver=overlay2 \
-          --log-driver=json-file
+          --log-driver=json-file \
+          --iptables=false
 ExecReload=/bin/kill -s HUP $MAINPID
 TasksMax=8192
 LimitNOFILE=1048576

tools/gate/playbooks/deploy-docker/templates/ubuntu-docker.service.j2

@@ -0,0 +1,30 @@
+[Unit]
+Description=Docker Application Container Engine
+Documentation=https://docs.docker.com
+After=network.target docker.socket firewalld.service
+Requires=docker.socket
+
+[Service]
+Type=notify
+# the default is not to use systemd for cgroups because the delegate issues still
+# exists and systemd currently does not support the cgroup feature set required
+# for containers run by docker
+EnvironmentFile=-/etc/default/docker
+ExecStart=/usr/bin/dockerd --iptables=false -H fd:// $DOCKER_OPTS
+ExecReload=/bin/kill -s HUP $MAINPID
+LimitNOFILE=1048576
+# Having non-zero Limit*s causes performance problems due to accounting overhead
+# in the kernel. We recommend using cgroups to do container-local accounting.
+LimitNPROC=infinity
+LimitCORE=infinity
+# Uncomment TasksMax if your systemd version supports it.
+# Only systemd 226 and above support this version.
+TasksMax=infinity
+TimeoutStartSec=0
+# set delegate yes so that systemd does not reset the cgroups of docker containers
+Delegate=yes
+# kill only the docker process, not all processes in the cgroup
+KillMode=process
+
+[Install]
+WantedBy=multi-user.target

tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/templates/kubelet.service.j2

@@ -4,7 +4,8 @@ Documentation=http://kubernetes.io/docs/
 
 [Service]
 ExecStartPre=/sbin/swapoff -a
-ExecStartPre=/bin/bash -c "echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables"
+ExecStartPre=/bin/bash -cex "modprobe br_netfilter"
+ExecStartPre=/bin/bash -cex "echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables"
 ExecStart=/usr/bin/kubelet
 Restart=always
 StartLimitInterval=0