Kubeadm-aio container for dev and gates

This PS brings in a container for setting up a Kubeadm based
AIO environement for development and Gating purposes.

FROM ubuntu:16.04
MAINTAINER pete.birley@att.com
ENV container="docker" \
RUN set -x \
&& cd /tmp \
&& apt-get update \
&& apt-get install -y \
apt-transport-https \
ca-certificates \
curl \
# Add Kubernetes repo
&& curl -sSL https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add - \
&& echo "deb http://apt.kubernetes.io/ kubernetes-xenial main" > /etc/apt/sources.list.d/kubernetes.list \
&& apt-get update \
&& apt-get install -y \
docker.io \
iptables \
kubectl \
kubelet \
kubernetes-cni \
# Install Kubeadm without running postinstall script as it expects systemd to be running.
&& apt-get download kubeadm \
&& dpkg --unpack kubeadm*.deb \
&& mv /var/lib/dpkg/info/kubeadm.postinst /opt/kubeadm.postinst \
&& dpkg --configure kubeadm \
&& apt-get install -yf kubeadm \
&& mkdir -p /etc/kubernetes/manifests \
# Move kubelet binary as we will run containerised
&& mv /usr/bin/kubelet /usr/bin/kubelet-real \
# Install helm binary
&& curl -sSL https://storage.googleapis.com/kubernetes-helm/helm-${HELM_VERSION}-linux-amd64.tar.gz | tar -zxv --strip-components=1 \
&& mv /tmp/helm /usr/bin/helm \
# Install openstack-helm dev utils
&& apt-get install -y \
make \
git \
vim \
# Install nfs utils for development PVC provisioner
nfs-common \
# Tweak Systemd units and targets for running in a container
&& find /lib/systemd/system/sysinit.target.wants/ ! -name 'systemd-tmpfiles-setup.service' -type l -exec rm -fv {} + \
&& rm -fv \
/lib/systemd/system/multi-user.target.wants/* \
/etc/systemd/system/*.wants/* \
/lib/systemd/system/local-fs.target.wants/* \
/lib/systemd/system/sockets.target.wants/*udev* \
/lib/systemd/system/sockets.target.wants/*initctl* \
/lib/systemd/system/basic.target.wants/* \
# Clean up apt cache
&& rm -rf /var/lib/apt/lists/* \
# Clean up tmp dir
&& cd / \
&& rm -rf /tmp/*
# Load assets into place, setup startup target & units
COPY ./assets/ /
RUN set -x \
&& ln -s /usr/lib/systemd/system/container-up.target /etc/systemd/system/default.target \
&& mkdir -p /etc/systemd/system/container-up.target.wants \
&& ln -s /usr/lib/systemd/system/kubeadm-aio.service /etc/systemd/system/container-up.target.wants/kubeadm-aio.service
VOLUME /sys/fs/cgroup
CMD /kubeadm-aio

# Kubeadm AIO Container
This container builds a small AIO Kubeadm based Kubernetes deployment for Development and Gating use.
## Instructions
### OS Specific Host setup:
#### Ubuntu:
From a freshly provisioned Ubuntu 16.04 LTS host run:
``` bash
sudo apt-get update -y
sudo apt-get install -y \
docker.io \
### Build and deploy the AIO environment
From the root directory of the OpenStack-Helm repo run:
``` bash
export KUBEADM_IMAGE=openstack-helm/kubeadm-aio:v1.6
sudo docker build --pull -t ${KUBEADM_IMAGE} tools/kubeadm-aio
To launch the environment then run:
``` bash
export KUBEADM_IMAGE=openstack-helm/kubeadm-aio:v1.6
export KUBE_VERSION=v1.6.0
export KUBECONFIG=${HOME}/.kubeadm-aio/admin.conf
One this has run, you should hopefully have a Kubernetes single node environment
running, with Helm, Calico, a NFS PVC provisioner and appropriate RBAC rules and
node labels to get developing.
If you wish to use this environment at the primary Kubernetes environment on
your host you may run the following, but note that this will wipe any previous
client configuration you may have.
``` bash
mkdir -p ${HOME}/.kube
cat ${HOME}/.kubeadm-aio/admin.conf > ${HOME}/.kube/config
If you wish to create dummy network devices for Neutron to manage there is a
helper script that can set them up for you:
``` bash
sudo docker exec kubelet /usr/bin/openstack-helm-aio-network-prep
### Logs
You can get the logs from your `kubeadm-aio` container by running:
``` bash
sudo docker logs -f kubeadm-aio

# If KUBE_VERSION is set 'default' kubeadm will use the default version of K8s
# otherwise the version specified here will be used.

# If KUBE_BIND_DEV is set to 'autodetect' we will use kubeadm's autodetect logic
# otherwise use the device specified to find the IP address to bind to.

# If KUBELET_CONTAINER is set 'to_this' one we will not attempt to launch a new
# container for the kubelet process, otherwise use the image tag specified

# Copyright 2017 The Openstack-Helm Authors.
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
set -xe
echo "Checking cgroups"
if ls -dZ /sys/fs/cgroup | grep -q :svirt_sandbox_file_t: ; then
echo "Invocation error: use -v /sys/fs/cgroup:/sys/fs/cgroup:ro parameter to docker run."
exit 1
echo "Setting up K8s version to deploy"
: ${KUBE_VERSION:="default"}
sed -i "s|KUBE_VERSION=.*|KUBE_VERSION=${KUBE_VERSION}|g" /etc/kube-version
echo "Setting up device image to use for kube-api"
: ${KUBE_BIND_DEV:="autodetect"}
sed -i "s|KUBE_BIND_DEV=.*|KUBE_BIND_DEV=${KUBE_BIND_DEV}|g" /etc/kubeapi-device
echo "Setting up container image to use for kubelet"
: ${KUBELET_CONTAINER:="this_one"}
echo "Starting Systemd"
exec /bin/systemd --system

kind: Service
apiVersion: v1
name: nfs-provisioner
app: nfs-provisioner
- name: nfs
port: 2049
- name: mountd
port: 20048
- name: rpcbind
port: 111
- name: rpcbind-udp
port: 111
protocol: UDP
app: nfs-provisioner
kind: Deployment
apiVersion: extensions/v1beta1
name: nfs-provisioner
replicas: 1
type: Recreate
app: nfs-provisioner
- name: nfs-provisioner
image: quay.io/kubernetes_incubator/nfs-provisioner:v1.0.3
- name: nfs
containerPort: 2049
- name: mountd
containerPort: 20048
- name: rpcbind
containerPort: 111
- name: rpcbind-udp
containerPort: 111
protocol: UDP
- "-provisioner=example.com/nfs"
- "-grace-period=10"
- name: POD_IP
fieldPath: status.podIP
value: nfs-provisioner
fieldPath: metadata.namespace
imagePullPolicy: "IfNotPresent"
- name: export-volume
mountPath: /export
- name: export-volume
path: /var/lib/nfs-provisioner

kind: StorageClass
apiVersion: storage.k8s.io/v1
name: general
provisioner: example.com/nfs

apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRoleBinding
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
- kind: Group
name: system:masters
- kind: Group
name: system:authenticated
- kind: Group
name: system:unauthenticated

# Copyright 2017 The Openstack-Helm Authors.
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
set -xe
# Define k8s version
source /etc/kube-version
if [[ "${KUBE_VERSION}" == "default" ]]; then
echo "We will use K8s ${KUBE_VERSION}"
echo "Setting up K8s"
source /etc/kubeapi-device
if [[ "$KUBE_BIND_DEV" != "autodetect" ]]; then
KUBE_BIND_IP=$(ip addr list ${KUBE_BIND_DEV} |grep "inet " |cut -d' ' -f6|cut -d/ -f1)
echo "We are going to bind the K8s API to: ${KUBE_BIND_IP}"
kubeadm init --skip-preflight-checks ${KUBE_VERSION_FLAG} --api-advertise-addresses ${KUBE_BIND_IP}
kubeadm init --skip-preflight-checks ${KUBE_VERSION_FLAG}
echo "Setting up K8s client"
cp /etc/kubernetes/admin.conf /root/
export KUBECONFIG=/root/admin.conf
echo "Marking master node as sceduleable"
kubectl taint nodes --all node-role.kubernetes.io/master-
echo "Installing Calico CNI"
kubectl create -f http://docs.projectcalico.org/v2.1/getting-started/kubernetes/installation/hosted/kubeadm/1.6/calico.yaml
echo "Setting Up Cluser for OpenStack-Helm dev use"

# Copyright 2017 The Openstack-Helm Authors.
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
set -xe
# Set the KUBELET_CONTAINER env var
source /etc/kubelet-container
# Detrmine the Cgroup driver in use by Docker
CGROUP_DRIVER=$(docker info | awk '/^Cgroup Driver:/ { print $NF }')
if [[ "${KUBELET_CONTAINER}" == "this_one" ]]; then
exec kubelet-real \
--containerized=true \
--enable-cri=false \
--cgroup-driver=${CGROUP_DRIVER} "${@}"
# Lets remove any old containers
docker rm -f kubelet || true
# Launch the container
exec docker run \
--name kubelet \
--restart=always \
--volume=/sys/fs/cgroup:/sys/fs/cgroup:ro \
--volume=/:/rootfs:ro \
--volume=/dev/net:/dev/net:rw \
--volume=/var/run/netns:/var/run/netns:rw \
--volume=/sys:/sys:ro \
--volume=/etc/machine-id:/etc/machine-id:ro \
--volume=/opt/cni:/opt/cni:rw \
--volume=/etc/cni/net.d:/etc/cni/net.d:rw \
--volume=/var/lib/docker/:/var/lib/docker:rw \
--volume=/var/lib/kubelet/:/var/lib/kubelet:rshared \
--volume=/var/run:/var/run:rw \
--volume=/etc/kubernetes:/etc/kubernetes:rw \
--volume=/etc/hosts:/etc/hosts:rw \
--volume=/etc/resolv.conf:/etc/resolv.conf:rw \
--net=host \
--privileged=true \
--pid=host \
--ipc=host \
kubelet \
--containerized=true \
--enable-cri=false \
--cgroup-driver=${CGROUP_DRIVER} "${@}"

# Copyright 2017 The Openstack-Helm Authors.
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
set -xe
echo "Setting up virtual network devices"
ip link add neutron-ext type dummy || true
ip link set neutron-ext up
ip link add neutron-phys type dummy || true
ip link set neutron-phys up

# Copyright 2017 The Openstack-Helm Authors.
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
set -xe
echo "Setting Kubecfg Location"
export KUBECONFIG=/root/admin.conf
echo "Cloning OpenStack-Helm"
git clone --depth 1 https://github.com/openstack/openstack-helm.git /opt/openstack-helm
echo "Starting helm local repo"
helm serve &
until curl -sSL --connect-timeout 1 http://localhost:8879 > /dev/null; do
echo "Waiting for helm serve to start"
sleep 2
helm repo add local http://localhost:8879/charts
echo "Building OpenStack-Helm"
cd /opt/openstack-helm

# Copyright 2017 The Openstack-Helm Authors.
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
set -xe
echo "Setting Kubecfg Location"
export KUBECONFIG=/root/admin.conf
echo "Labeling the nodes for Openstack-Helm deployment"
kubectl label nodes openstack-control-plane=enabled --all --namespace=openstack --overwrite
kubectl label nodes openvswitch=enabled --all --namespace=openstack --overwrite
kubectl label nodes openstack-compute-node=enabled --all --namespace=openstack --overwrite
echo "RBAC: applying development rules (totally open!)"
kubectl update -f /opt/rbac/dev.yaml

# Copyright 2017 The Openstack-Helm Authors.
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
set -xe
echo "Setting Kubecfg Location"
export KUBECONFIG=/root/admin.conf
echo "Deploying NFS Provisioner"
kubectl create -R -f /opt/nfs-provisioner/

# Copyright 2017 The Openstack-Helm Authors.
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
Description=Minimal target for containerized applications
Requires=systemd-tmpfiles-setup.service systemd-journald.service dbus.service
After=systemd-tmpfiles-setup.service systemd-journald.service dbus.service

# Copyright 2017 The Openstack-Helm Authors.
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
Description=Start Kubeadm AIO Cluster

# Copyright 2017 The Openstack-Helm Authors.
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
set -xe
# Setup shared mounts for kubelet
sudo mkdir -p /var/lib/kubelet
sudo mount --bind /var/lib/kublet /var/lib/kubelet
sudo mount --make-shared /var/lib/kubelet
# Cleanup any old deployment
sudo docker rm -f kubeadm-aio || true
sudo docker rm -f kubelet || true
sudo docker ps -aq | xargs -l1 sudo docker rm -f || true
sudo rm -rfv \
/etc/cni/net.d \
/etc/kubernetes \
/var/lib/etcd \
/var/lib/kubelet/* \
/run/openvswitch \
${HOME}/.kubeadm-aio/admin.conf \
/var/lib/nfs-provisioner || true
# Launch Container
sudo docker run \
-dt \
--name=kubeadm-aio \
--net=host \
--security-opt=seccomp:unconfined \
--cap-add=SYS_ADMIN \
--tmpfs=/run \
--tmpfs=/run/lock \
--volume=/etc/machine-id:/etc/machine-id:ro \
--volume=${HOME}:${HOME}:rw \
--volume=${HOME}/.kubeadm-aio:/root:rw \
--volume=/etc/kubernetes:/etc/kubernetes:rw \
--volume=/sys/fs/cgroup:/sys/fs/cgroup:ro \
--volume=/var/run/docker.sock:/run/docker.sock \
# Wait for kubeconfig
while [[ ! -f ${HOME}/.kubeadm-aio/admin.conf ]]; do
echo "Waiting for kubeconfig"
sleep 2
# Set perms of kubeconfig and set env-var
sudo chown $(id -u):$(id -g) ${HOME}/.kubeadm-aio/admin.conf
export KUBECONFIG=${HOME}/.kubeadm-aio/admin.conf
# Wait for node to be ready before continuing
while [[ $NODE_STATUS != "Ready" ]]; do
NODE_STATUS=$(kubectl get nodes --no-headers=true | awk "{ print \$2 }" | head -1)
echo "Current node status: ${NODE_STATUS}"
sleep 2
# Initialize Helm
helm init
# Initialize Environment for Development
sudo docker exec kubeadm-aio openstack-helm-dev-prep
# Deploy NFS provisioner into enviromment
sudo docker exec kubeadm-aio openstack-helm-nfs-prep