Closed michalschott closed 7 months ago
Based on https://bytemeta.vip/repo/kubernetes/node-problem-detector/issues/683 I've managed to solve it with custom NPD container.
Dockerfile:
FROM registry.k8s.io/node-problem-detector/node-problem-detector:v0.8.12 as builder
# Install crictl
ARG TARGETOS
ARG TARGETARCH
#`BUILDX_ARCH` will be used in the buildx package download URL
# The required format is in `TARGETOS-TARGETARCH`
# Set it default to linux-amd64 to make the Dockerfile
# works with / without buildkit
ENV BUILDX_ARCH="${TARGETOS:-linux}-${TARGETARCH:-amd64}"
ARG VERSION="v1.25.0"
RUN apt-get -qq update && \
DEBIAN_FRONTEND=noninteractive apt-get install -qq -y curl unzip < /dev/null > /dev/null && \
rm -rf /var/cache/apt/* && \
curl -sLO https://github.com/kubernetes-sigs/cri-tools/releases/download/$VERSION/crictl-${VERSION}-${BUILDX_ARCH}.tar.gz && \
tar zxvf crictl-$VERSION-${BUILDX_ARCH}.tar.gz -C /usr/bin && \
rm -f crictl-$VERSION-${BUILDX_ARCH}.tar.gz && \
apt-get -qq autoremove curl unzip
Update daemonset manifest with:
spec.template.spec.containers.0.volumeMounts:
- mountPath: /var/run/containerd/containerd.sock
name: containerd
spec.template.spec.volumes:
- name: containerd
hostPath:
path: /run/dockershim.sock
type: Socket
Still would be handy to have CRI installed in NPD out of the box.
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.
This bot triages issues and PRs according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle stale
/lifecycle rotten
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle stale
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
/remove-lifecycle stale
@michalschott Did you ever make any progress with this?
# /bin/systemctl show containerd --property=InactiveExitTimestamp
System has not been booted with systemd as init system (PID 1). Can't operate.
Failed to connect to bus: Host is down
@btiernay never had that problem once I build own container and updated manifest - make sure you have updated mountPaths.
@michalschott I'm curious how you got around the SELinux constraints in Bottlerocket with systemctl
. I had install a couple of new packages:
RUN apt-get -qq update && \
DEBIAN_FRONTEND=noninteractive apt-get install -qq -y --allow-change-held-packages libcap2 systemd strace < /dev/null > /dev/null && \
rm -rf /var/cache/apt/* && \
curl -sLO https://github.com/kubernetes-sigs/cri-tools/releases/download/$VERSION/crictl-${VERSION}-${BUILDX_ARCH}.tar.gz && \
tar zxvf crictl-$VERSION-${BUILDX_ARCH}.tar.gz -C /usr/bin && \
rm -f crictl-$VERSION-${BUILDX_ARCH}.tar.gz && \
apt-get -qq autoremove curl unzip
And then run with SYSTEMD_IGNORE_CHROOT=1
in the environment. But even still, I hit MAC issues after configuring SELinux labels in my DaemonSet:
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: node-problem-detector
namespace: kube-system
spec:
template:
spec:
hostPID: true
hostIPC: true
hostNetwork: true
containers:
- name: node-problem-detector
securityContext:
privileged: true
seLinuxOptions:
user: system_u
role: system_r
type: super_t
level: s0
Curious how you got around that.
FYI - continuing the discussion with Bottlerocket community here: https://github.com/bottlerocket-os/bottlerocket/discussions/3156
And for the overall future of the integration here: https://github.com/bottlerocket-os/bottlerocket/discussions/3156
Please chime if you are so inclined!
FYI: Was able to get this to work per https://github.com/bottlerocket-os/bottlerocket/discussions/3156. The key point was removing privileged: true
.
@btiernay I do not set seLinuxOptions
key, but glad you sorted this out.
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle stale
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle rotten
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.
This bot triages issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/reopen
/remove-lifecycle rotten
Please send feedback to sig-contributor-experience at kubernetes/community.
/close not-planned
@k8s-triage-robot: Closing this issue, marking it as "Not Planned".