From fef1ede240a77656a7116a7cd8ad4c1221a255c8 Mon Sep 17 00:00:00 2001
From: Andy Zheng <qzheng@google.com>
Date: Mon, 10 Aug 2015 16:59:00 -0700
Subject: [PATCH] Add config to run minions on GCE using Ubuntu.

It is for running nodes on Ubuntu image upto 14.04 LTS (Trusty).
The change for running master on Ubuntu will be added later.
The configuration consists of several upstart jobs, which is
passed to node instances through GCE metadata and parsed by cloud-init.
---
 cluster/gce/trusty/helper.sh | 155 +++++++++++++++++++
 cluster/gce/trusty/node.yaml | 286 +++++++++++++++++++++++++++++++++++
 cluster/gce/util.sh          |   8 +-
 3 files changed, 447 insertions(+), 2 deletions(-)
 create mode 100644 cluster/gce/trusty/helper.sh
 create mode 100644 cluster/gce/trusty/node.yaml

diff --git a/cluster/gce/trusty/helper.sh b/cluster/gce/trusty/helper.sh
new file mode 100644
index 0000000000..6ad5f79c72
--- /dev/null
+++ b/cluster/gce/trusty/helper.sh
@@ -0,0 +1,155 @@
+#!/bin/bash
+
+# Copyright 2015 The Kubernetes Authors All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# A library of helper functions and constant for ubuntu os distro
+
+# The code and configuration is for running node instances on Ubuntu images.
+# The master is still on Debian. In addition, the configuration is based on
+# upstart, which is in Ubuntu upto 14.04 LTS (Trusty). Ubuntu 15.04 and above
+# replaced upstart with systemd as the init system. Consequently, the
+# configuration cannot work on these images.
+
+# $1: if 'true', we're building a master yaml, else a node
+function build-kube-env {
+  local master=$1
+  local file=$2
+
+  rm -f ${file}
+  # TODO(andyzheng0831): master node is still running with Debian image. Switch it
+  # to Ubuntu trusty.
+  if [[ "${master}" == "true" ]]; then
+  cat >$file <<EOF
+KUBERNETES_MASTER: "true"
+ENV_TIMESTAMP: $(yaml-quote $(date -u +%Y-%m-%dT%T%z))
+INSTANCE_PREFIX: $(yaml-quote ${INSTANCE_PREFIX})
+NODE_INSTANCE_PREFIX: $(yaml-quote ${NODE_INSTANCE_PREFIX})
+CLUSTER_IP_RANGE: $(yaml-quote ${CLUSTER_IP_RANGE:-10.244.0.0/16})
+SERVER_BINARY_TAR_URL: $(yaml-quote ${SERVER_BINARY_TAR_URL})
+SERVER_BINARY_TAR_HASH: $(yaml-quote ${SERVER_BINARY_TAR_HASH})
+SALT_TAR_URL: $(yaml-quote ${SALT_TAR_URL})
+SALT_TAR_HASH: $(yaml-quote ${SALT_TAR_HASH})
+SERVICE_CLUSTER_IP_RANGE: $(yaml-quote ${SERVICE_CLUSTER_IP_RANGE})
+ALLOCATE_NODE_CIDRS: $(yaml-quote ${ALLOCATE_NODE_CIDRS:-false})
+ENABLE_CLUSTER_MONITORING: $(yaml-quote ${ENABLE_CLUSTER_MONITORING:-none})
+ENABLE_NODE_MONITORING: $(yaml-quote ${ENABLE_NODE_MONITORING:-false})
+ENABLE_CLUSTER_LOGGING: $(yaml-quote ${ENABLE_CLUSTER_LOGGING:-false})
+ENABLE_CLUSTER_UI: $(yaml-quote ${ENABLE_CLUSTER_UI:-false})
+ENABLE_NODE_LOGGING: $(yaml-quote ${ENABLE_NODE_LOGGING:-false})
+LOGGING_DESTINATION: $(yaml-quote ${LOGGING_DESTINATION:-})
+ELASTICSEARCH_LOGGING_REPLICAS: $(yaml-quote ${ELASTICSEARCH_LOGGING_REPLICAS:-})
+ENABLE_CLUSTER_DNS: $(yaml-quote ${ENABLE_CLUSTER_DNS:-false})
+DNS_REPLICAS: $(yaml-quote ${DNS_REPLICAS:-})
+DNS_SERVER_IP: $(yaml-quote ${DNS_SERVER_IP:-})
+DNS_DOMAIN: $(yaml-quote ${DNS_DOMAIN:-})
+KUBE_USER: $(yaml-quote ${KUBE_USER})
+KUBE_PASSWORD: $(yaml-quote ${KUBE_PASSWORD})
+KUBE_BEARER_TOKEN: $(yaml-quote ${KUBE_BEARER_TOKEN})
+KUBELET_TOKEN: $(yaml-quote ${KUBELET_TOKEN:-})
+KUBE_PROXY_TOKEN: $(yaml-quote ${KUBE_PROXY_TOKEN:-})
+ADMISSION_CONTROL: $(yaml-quote ${ADMISSION_CONTROL:-})
+MASTER_IP_RANGE: $(yaml-quote ${MASTER_IP_RANGE})
+KUBERNETES_MASTER_NAME: $(yaml-quote ${MASTER_NAME})
+KUBERNETES_CONTAINER_RUNTIME: $(yaml-quote ${CONTAINER_RUNTIME})
+RKT_VERSION: $(yaml-quote ${RKT_VERSION})
+CA_CERT: $(yaml-quote ${CA_CERT_BASE64})
+MASTER_CERT: $(yaml-quote ${MASTER_CERT_BASE64:-})
+MASTER_KEY: $(yaml-quote ${MASTER_KEY_BASE64:-})
+KUBECFG_CERT: $(yaml-quote ${KUBECFG_CERT_BASE64:-})
+KUBECFG_KEY: $(yaml-quote ${KUBECFG_KEY_BASE64:-})
+EOF
+  else
+    cat >>$file <<EOF
+ENV_TIMESTAMP="$(date -u +%Y-%m-%dT%T%z)"
+INSTANCE_PREFIX=${INSTANCE_PREFIX}
+NODE_INSTANCE_PREFIX=${NODE_INSTANCE_PREFIX}
+SERVER_BINARY_TAR_URL=${SERVER_BINARY_TAR_URL}
+SERVER_BINARY_TAR_HASH=${SERVER_BINARY_TAR_HASH}
+SALT_TAR_URL=${SALT_TAR_URL}
+SALT_TAR_HASH=${SALT_TAR_HASH}
+SERVICE_CLUSTER_IP_RANGE=${SERVICE_CLUSTER_IP_RANGE}
+ENABLE_CLUSTER_MONITORING=${ENABLE_CLUSTER_MONITORING:-none}
+ENABLE_NODE_MONITORING=${ENABLE_NODE_MONITORING:-false}
+ENABLE_CLUSTER_LOGGING=${ENABLE_CLUSTER_LOGGING:-false}
+ENABLE_NODE_LOGGING=${ENABLE_NODE_LOGGING:-false}
+LOGGING_DESTINATION=${LOGGING_DESTINATION:-}
+ELASTICSEARCH_LOGGING_REPLICAS=${ELASTICSEARCH_LOGGING_REPLICAS:-}
+ENABLE_CLUSTER_DNS=${ENABLE_CLUSTER_DNS:-false}
+DNS_REPLICAS=${DNS_REPLICAS:-}
+DNS_SERVER_IP=${DNS_SERVER_IP:-}
+DNS_DOMAIN=${DNS_DOMAIN:-}
+KUBELET_TOKEN=${KUBELET_TOKEN:-}
+KUBE_PROXY_TOKEN=${KUBE_PROXY_TOKEN:-}
+ADMISSION_CONTROL=${ADMISSION_CONTROL:-}
+MASTER_IP_RANGE=${MASTER_IP_RANGE}
+KUBERNETES_MASTER_NAME=${MASTER_NAME}
+ZONE=${ZONE}
+EXTRA_DOCKER_OPTS=${EXTRA_DOCKER_OPTS:-}
+PROJECT_ID=${PROJECT}
+CA_CERT=${CA_CERT_BASE64}
+KUBELET_CERT=${KUBELET_CERT_BASE64:-}
+KUBELET_KEY=${KUBELET_KEY_BASE64:-}
+EOF
+  fi
+}
+
+# create-master-instance creates the master instance. If called with
+# an argument, the argument is used as the name to a reserved IP
+# address for the master. (In the case of upgrade/repair, we re-use
+# the same IP.)
+#
+# It requires a whole slew of assumed variables, partially due to to
+# the call to write-master-env. Listing them would be rather
+# futile. Instead, we list the required calls to ensure any additional
+# variables are set:
+#   ensure-temp-dir
+#   detect-project
+#   get-bearer-token
+#
+# TODO(andyzheng0831): We are still running master on Debian.
+# Convert master node to use Ubuntu trusty image too.
+function create-master-instance {
+  local address_opt=""
+  [[ -n ${1:-} ]] && address_opt="--address ${1}"
+
+  write-master-env
+  gcloud compute instances create "${MASTER_NAME}" \
+    ${address_opt} \
+    --project "${PROJECT}" \
+    --zone "${ZONE}" \
+    --machine-type "${MASTER_SIZE}" \
+    --image-project="${MASTER_IMAGE_PROJECT}" \
+    --image "${MASTER_IMAGE}" \
+    --tags "${MASTER_TAG}" \
+    --network "${NETWORK}" \
+    --scopes "storage-ro,compute-rw" \
+    --can-ip-forward \
+    --metadata-from-file \
+      "startup-script=${KUBE_ROOT}/cluster/gce/configure-vm.sh,kube-env=${KUBE_TEMP}/master-kube-env.yaml" \
+    --disk "name=${MASTER_NAME}-pd,device-name=master-pd,mode=rw,boot=no,auto-delete=no"
+}
+
+# TODO(andyzheng0831): Make $1 required.
+# TODO(andyzheng0831): Document required vars (for this and call chain).
+# $1 version
+function create-node-instance-template {
+  local suffix=""
+  if [[ -n ${1:-} ]]; then
+    suffix="-${1}"
+  fi
+  create-node-template "${NODE_INSTANCE_PREFIX}-template${suffix}" "${scope_flags[*]}" \
+		"kube-env=${KUBE_TEMP}/node-kube-env.yaml" \
+    "user-data=${KUBE_ROOT}/cluster/gce/trusty/node.yaml"
+}
diff --git a/cluster/gce/trusty/node.yaml b/cluster/gce/trusty/node.yaml
new file mode 100644
index 0000000000..075d421e82
--- /dev/null
+++ b/cluster/gce/trusty/node.yaml
@@ -0,0 +1,286 @@
+From nobody Tue Aug 11 10:13:54 2015
+Content-Type: multipart/mixed; boundary="===============6024533374511606659=="
+MIME-Version: 1.0
+
+--===============6024533374511606659==
+MIME-Version: 1.0
+Content-Type: text/upstart-job; charset="us-ascii"
+Content-Transfer-Encoding: 7bit
+Content-Disposition: attachment; filename="kube-env.conf"
+
+#upstart-job
+
+description "Prepare kube node environment"
+
+start on cloud-config
+
+script
+	# Set the hostname to the short version.
+	short_hostname=$(hostname -s)
+	hostname $short_hostname
+
+	# We have seen that GCE image may have strict host firewall rules which drop most inbound/forwarded packets. In such a case, add rules to accept all TCP/UDP packets.
+	if iptables -L INPUT | grep "Chain INPUT (policy DROP)" > /dev/null; then
+		echo "Add rules to accpet all inbound TCP/UDP packets"
+		iptables -A INPUT -w -p TCP -j ACCEPT
+		iptables -A INPUT -w -p UDP -j ACCEPT
+	fi
+	if iptables -L FORWARD | grep "Chain FORWARD (policy DROP)" > /dev/null; then
+		echo "Add rules to accpet all forwarded TCP/UDP packets"
+		iptables -A FORWARD -w -p TCP -j ACCEPT
+		iptables -A FORWARD -w -p UDP -j ACCEPT
+	fi
+	# Create required directories.
+	mkdir -p /var/lib/kubelet
+	mkdir -p /var/lib/kube-proxy
+	mkdir -p /etc/kubernetes/manifests
+
+	# Fetch kube-env from GCE metadata server.
+	curl --fail --silent --show-error \
+		-H "X-Google-Metadata-Request: True" \
+		-o /etc/kube-env \
+		http://metadata.google.internal/computeMetadata/v1/instance/attributes/kube-env
+
+	# Create the kubelet kubeconfig file.
+	. /etc/kube-env
+	cat > /var/lib/kubelet/kubeconfig << EOF
+apiVersion: v1
+kind: Config
+users:
+- name: kubelet
+  user:
+    token: ${KUBELET_TOKEN}
+clusters:
+- name: local
+  cluster:
+    insecure-skip-tls-verify: true
+contexts:
+- context:
+    cluster: local
+    user: kubelet
+  name: service-account-context
+current-context: service-account-context
+EOF
+
+	# Create the kube-proxy config file.
+	cat > /var/lib/kube-proxy/kubeconfig << EOF
+apiVersion: v1
+kind: Config
+users:
+- name: kube-proxy
+  user:
+    token: ${KUBE_PROXY_TOKEN}
+clusters:
+- name: local
+  cluster:
+    insecure-skip-tls-verify: true
+contexts:
+- context:
+    cluster: local
+    user: kube-proxy
+  name: service-account-context
+current-context: service-account-context
+EOF
+end script
+
+--===============6024533374511606659==
+MIME-Version: 1.0
+Content-Type: text/upstart-job; charset="us-ascii"
+Content-Transfer-Encoding: 7bit
+Content-Disposition: attachment; filename="kube-install-packages.conf"
+
+#upstart-job
+
+description "Install packages needed to run kubernetes"
+
+start on cloud-config
+
+script
+	apt-get update
+	# Install docker, brctl, and socat if they are not in the image.
+	if ! which docker > /dev/null; then
+  	echo "Do not find docker. Install it."
+		# We should install the docker that passes qualification. At present, it is version 1.7.1.
+		curl -sSL https://get.docker.com/ubuntu/ | DOCKER_VERSION=1.7.1 sh
+	fi
+	if ! which brctl > /dev/null; then
+		echo "Do not find brctl. Install it."
+		apt-get install --yes bridge-utils
+	fi
+	if ! which socat > /dev/null; then
+		echo "Do not find socat. Install it."
+		apt-get install --yes socat
+	fi
+end script
+
+--===============6024533374511606659==
+MIME-Version: 1.0
+Content-Type: text/upstart-job; charset="us-ascii"
+Content-Transfer-Encoding: 7bit
+Content-Disposition: attachment; filename="kube-install-minion.conf"
+
+#upstart-job
+
+description "Download and install k8s binaries and configurations"
+
+start on stopped kube-env
+
+script
+	. /etc/kube-env
+	# If kubelet or kube-proxy is not stalled in the image, pull release binaries and put them in /usr/bin.
+	if ! which kubelet > /dev/null || ! which kube-proxy > /dev/null; then
+		cd /tmp
+		k8s_sha1="${SERVER_BINARY_TAR_URL##*/}.sha1"
+		echo "Downloading k8s tar sha1 file ${k8s_sha1}"
+		curl -Lo "${k8s_sha1}" --connect-timeout 20 --retry 6 --retry-delay 2 "${SERVER_BINARY_TAR_URL}.sha1"
+		k8s_tar="${SERVER_BINARY_TAR_URL##*/}"
+		echo "Downloading k8s tar file ${k8s_tar}"
+		curl -Lo "${k8s_tar}" --connect-timeout 20 --retry 6 --retry-delay 2 "${SERVER_BINARY_TAR_URL}"
+		# Validate hash.
+		actual=$(sha1sum ${k8s_tar} | awk '{ print $1 }') || true
+		if [ "${actual}" != "${SERVER_BINARY_TAR_HASH}" ]; then
+			echo "== ${k8s_tar} corrupted, sha1 ${actual} doesn't match expected ${SERVER_BINARY_TAR_HASH} =="
+		else
+			echo "Validated ${SERVER_BINARY_TAR_URL} SHA1 = ${SERVER_BINARY_TAR_HASH}"
+		fi
+		tar xzf "/tmp/${k8s_tar}" -C /tmp/ --overwrite
+		cp /tmp/kubernetes/server/bin/kubelet /usr/bin/
+		cp /tmp/kubernetes/server/bin/kube-proxy /usr/bin/
+		rm -rf "/tmp/kubernetes"
+		rm "/tmp/${k8s_tar}"
+		rm "/tmp/${k8s_sha1}"
+	fi
+
+	# Put saltbase configuration files in /etc/saltbase. We will use the add-on yaml files.
+	mkdir -p /etc/saltbase
+	cd /etc/saltbase
+	salt_sha1="${SALT_TAR_URL##*/}.sha1"
+	echo "Downloading Salt tar sha1 file ${salt_sha1}"
+	curl -Lo "${salt_sha1}" --connect-timeout 20 --retry 6 --retry-delay 2 "${SALT_TAR_URL}.sha1"
+	salt_tar="${SALT_TAR_URL##*/}"
+	echo "Downloading Salt tar file ${salt_tar}"
+	curl -Lo "${salt_tar}" --connect-timeout 20 --retry 6 --retry-delay 2 "${SALT_TAR_URL}"
+	# Validate hash.
+	actual=$(sha1sum ${salt_tar} | awk '{ print $1 }') || true
+	if [ "${actual}" != "${SALT_TAR_HASH}" ]; then
+		echo "== ${salt_tar} corrupted, sha1 ${actual} doesn't match expected ${SALT_TAR_HASH} =="
+	else
+		echo "Validated ${SALT_TAR_URL} SHA1 = ${SALT_TAR_HASH}"
+	fi
+	tar xzf "/etc/saltbase/${salt_tar}" -C /etc/saltbase/ --overwrite
+	rm "/etc/saltbase/${salt_sha1}"
+	rm "/etc/saltbase/${salt_tar}"
+end script
+
+--===============6024533374511606659==
+MIME-Version: 1.0
+Content-Type: text/upstart-job; charset="us-ascii"
+Content-Transfer-Encoding: 7bit
+Content-Disposition: attachment; filename="kubelet.conf"
+
+#upstart-job
+
+description "Run kubelet service"
+
+start on stopped kube-install-minion and stopped kube-install-packages
+
+respawn
+
+script
+	# TODO(andyzheng0831): Add health check functionality.
+	. /etc/kube-env
+	/usr/bin/kubelet \
+  	--api_servers=https://${KUBERNETES_MASTER_NAME} \
+		--enable-debugging-handlers=true \
+		--cloud_provider=gce \
+		--config=/etc/kubernetes/manifests \
+		--allow_privileged=false \
+		--v=2 \
+		--cluster_dns=10.0.0.10 \
+		--cluster_domain=cluster.local \
+		--configure-cbr0=true \
+		--cgroup_root=/ \
+		--system-container=/system
+end script
+
+# Wait for 10s to start kubelet again.
+post-stop exec sleep 10
+
+--===============6024533374511606659==
+MIME-Version: 1.0
+Content-Type: text/upstart-job; charset="us-ascii"
+Content-Transfer-Encoding: 7bit
+Content-Disposition: attachment; filename="kube-proxy.conf"
+
+#upstart-job
+
+description "Start kube-proxy service"
+
+start on stopped kube-install-minion and stopped kube-install-packages
+
+respawn
+
+script
+	. /etc/kube-env
+	/usr/bin/kube-proxy \
+		--master=https://${KUBERNETES_MASTER_NAME} \
+		--kubeconfig=/var/lib/kube-proxy/kubeconfig \
+		--v=2
+end script
+
+# Wait for 10s to start kube-proxy again.
+post-stop exec sleep 10
+
+--===============6024533374511606659==
+MIME-Version: 1.0
+Content-Type: text/upstart-job; charset="us-ascii"
+Content-Transfer-Encoding: 7bit
+Content-Disposition: attachment; filename="kube-docker.conf"
+
+#upstart-job
+
+description "Restart docker daemon"
+
+start on started kubelet
+
+script
+	. /etc/kube-env
+	# Assemble docker deamon options
+	echo "DOCKER_OPTS=\"-p /var/run/docker.pid ${EXTRA_DOCKER_OPTS} --log-level=\"debug\" --bridge cbr0 --iptables=false --ip-masq=false\"" > /etc/default/docker
+	# Make sure the network interface cbr0 is created before restarting docker daemon
+	while ! [ -L /sys/class/net/cbr0 ]; do
+		echo "Sleep 1 second to wait for cbr0"
+		sleep 1
+	done
+	initctl restart docker
+	# Remove docker0
+	ifconfig docker0 down
+	brctl delbr docker0
+end script
+
+--===============6024533374511606659==
+MIME-Version: 1.0
+Content-Type: text/upstart-job; charset="us-ascii"
+Content-Transfer-Encoding: 7bit
+Content-Disposition: attachment; filename="kube-addons.conf"
+
+#upstart-job
+
+description "Install kubelet add-on manifest files"
+
+start on stopped kube-docker
+
+script
+	# Configuration files are located at /etc/saltbase.
+	. /etc/kube-env
+	if [ "${ENABLE_NODE_LOGGING}" = "true" ]; then
+		if [ "${LOGGING_DESTINATION}" = "gcp" ]; then
+			cp /etc/saltbase/kubernetes/saltbase/salt/fluentd-gcp/fluentd-gcp.yaml /etc/kubernetes/manifests/
+		elif [ "${LOGGING_DESTINATION}" = "elasticsearch" ]; then
+			cp /etc/saltbase/kubernetes/saltbase/salt/fluentd-es/fluentd-es.yaml /etc/kubernetes/manifests/
+		fi
+	fi
+end script
+
+--===============6024533374511606659==--
+
diff --git a/cluster/gce/util.sh b/cluster/gce/util.sh
index 61f3835b79..dd14ec56f8 100755
--- a/cluster/gce/util.sh
+++ b/cluster/gce/util.sh
@@ -22,7 +22,7 @@ KUBE_ROOT=$(dirname "${BASH_SOURCE}")/../..
 source "${KUBE_ROOT}/cluster/gce/${KUBE_CONFIG_FILE-"config-default.sh"}"
 source "${KUBE_ROOT}/cluster/common.sh"
 
-if [[ "${OS_DISTRIBUTION}" == "debian" || "${OS_DISTRIBUTION}" == "coreos" ]]; then
+if [[ "${OS_DISTRIBUTION}" == "debian" || "${OS_DISTRIBUTION}" == "coreos" || "${OS_DISTRIBUTION}" == "trusty" ]]; then
   source "${KUBE_ROOT}/cluster/gce/${OS_DISTRIBUTION}/helper.sh"
 else
   echo "Cannot operate on cluster using os distro: ${OS_DISTRIBUTION}" >&2
@@ -1196,7 +1196,11 @@ function ssh-to-node {
 
 # Restart the kube-proxy on a node ($1)
 function restart-kube-proxy {
-  ssh-to-node "$1" "sudo /etc/init.d/kube-proxy restart"
+  if [[ "${OS_DISTRIBUTION}" == "trusty" ]]; then
+    ssh-to-node "$1" "sudo initctl restart kube-proxy"
+  else
+    ssh-to-node "$1" "sudo /etc/init.d/kube-proxy restart"
+  fi
 }
 
 # Restart the kube-apiserver on a node ($1)