commit 7b5c38e97384257a03ec29e9eec56e2a46a07816 · pyrox.dev/nixpkgs

nixos/doc/manual/release-notes/rl-2105.xml

···

       788
        
            and use Maturin as their build tool.

     

       789
        
           </para>

     

       790
        
          </listitem>

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       791
        
         </itemizedlist>

     

       792
        
        </section>

     

       793
        
       </section>

···

       788
        
            and use Maturin as their build tool.

     

       789
        
           </para>

     

       790
        
          </listitem>

     

       791
       +
          <listitem>

     

       792
       +
           <para>

     

       793
       +
            Kubernetes has <link xlink:href="https://kubernetes.io/blog/2020/12/02/dont-panic-kubernetes-and-docker/">deprecated docker</link> as container runtime.

     

       794
       +
            As a consequence, the Kubernetes module now has support for configuration of custom remote container runtimes and enables containerd by default.

     

       795
       +
            Note that containerd is more strict regarding container image OCI-compliance.

     

       796
       +
            As an example, images with CMD or ENTRYPOINT defined as strings (not lists) will fail on containerd, while working fine on docker.

     

       797
       +
            Please test your setup and container images with containerd prior to upgrading.

     

       798
       +
           </para>

     

       799
       +
          </listitem>

     

       800
        
         </itemizedlist>

     

       801
        
        </section>

     

       802
        
       </section>

nixos/modules/module-list.nix

···

       1053
        
         ./testing/service-runner.nix

     

       1054
        
         ./virtualisation/anbox.nix

     

       1055
        
         ./virtualisation/container-config.nix

     

       0
        
       
     

       1056
        
         ./virtualisation/containers.nix

     

       1057
        
         ./virtualisation/nixos-containers.nix

     

       1058
        
         ./virtualisation/oci-containers.nix

···

       1053
        
         ./testing/service-runner.nix

     

       1054
        
         ./virtualisation/anbox.nix

     

       1055
        
         ./virtualisation/container-config.nix

     

       1056
       +
         ./virtualisation/containerd.nix

     

       1057
        
         ./virtualisation/containers.nix

     

       1058
        
         ./virtualisation/nixos-containers.nix

     

       1059
        
         ./virtualisation/oci-containers.nix

-2

nixos/modules/services/cluster/kubernetes/apiserver.nix

···

       260
        
               account token issuer. The issuer will sign issued ID tokens with this

     

       261
        
               private key.

     

       262
        
             '';

     

       263
       -
             default = top.serviceAccountSigningKeyFile;

     

       264
        
             type = path;

     

       265
        
           };

     

       266
        
       

     
···

       272
        
               different files. If unspecified, --tls-private-key-file is used.

     

       273
        
               Must be specified when --service-account-signing-key is provided

     

       274
        
             '';

     

       275
       -
             default = top.serviceAccountKeyFile;

     

       276
        
             type = path;

     

       277
        
           };

     

       278

···

       260
        
               account token issuer. The issuer will sign issued ID tokens with this

     

       261
        
               private key.

     

       262
        
             '';

     

       0
        
       
     

       263
        
             type = path;

     

       264
        
           };

     

       265
        
       

     
···

       271
        
               different files. If unspecified, --tls-private-key-file is used.

     

       272
        
               Must be specified when --service-account-signing-key is provided

     

       273
        
             '';

     

       0
        
       
     

       274
        
             type = path;

     

       275
        
           };

     

       276

+25 -8

nixos/modules/services/cluster/kubernetes/default.nix

···

       5
        
       let

     

       6
        
         cfg = config.services.kubernetes;

     

       7
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       8
        
         mkKubeConfig = name: conf: pkgs.writeText "${name}-kubeconfig" (builtins.toJSON {

     

       9
        
           apiVersion = "v1";

     

       10
        
           kind = "Config";

     
···

       222
        
           })

     

       223
        
       

     

       224
        
           (mkIf cfg.kubelet.enable {

     

       225
       -
             virtualisation.docker = {

     

       226
        
               enable = mkDefault true;

     

       227
       -
       

     

       228
       -
               # kubernetes needs access to logs

     

       229
       -
               logDriver = mkDefault "json-file";

     

       230
       -
       

     

       231
       -
               # iptables must be disabled for kubernetes

     

       232
       -
               extraOptions = "--iptables=false --ip-masq=false";

     

       233
        
             };

     

       234
        
           })

     

       235
        
       

     
···

       269
        
             users.users.kubernetes = {

     

       270
        
               uid = config.ids.uids.kubernetes;

     

       271
        
               description = "Kubernetes user";

     

       272
       -
               extraGroups = [ "docker" ];

     

       273
        
               group = "kubernetes";

     

       274
        
               home = cfg.dataDir;

     

       275
        
               createHome = true;

···

       5
        
       let

     

       6
        
         cfg = config.services.kubernetes;

     

       7
        
       

     

       8
       +
         defaultContainerdConfigFile = pkgs.writeText "containerd.toml" ''

     

       9
       +
           version = 2

     

       10
       +
           root = "/var/lib/containerd/daemon"

     

       11
       +
           state = "/var/run/containerd/daemon"

     

       12
       +
           oom_score = 0

     

       13
       +
       

     

       14
       +
           [grpc]

     

       15
       +
             address = "/var/run/containerd/containerd.sock"

     

       16
       +
       

     

       17
       +
           [plugins."io.containerd.grpc.v1.cri"]

     

       18
       +
             sandbox_image = "pause:latest"

     

       19
       +
       

     

       20
       +
           [plugins."io.containerd.grpc.v1.cri".cni]

     

       21
       +
             bin_dir = "/opt/cni/bin"

     

       22
       +
             max_conf_num = 0

     

       23
       +
       

     

       24
       +
           [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]

     

       25
       +
             runtime_type = "io.containerd.runc.v2"

     

       26
       +
       

     

       27
       +
           [plugins."io.containerd.grpc.v1.cri".containerd.runtimes."io.containerd.runc.v2".options]

     

       28
       +
             SystemdCgroup = true

     

       29
       +
         '';

     

       30
       +
       

     

       31
        
         mkKubeConfig = name: conf: pkgs.writeText "${name}-kubeconfig" (builtins.toJSON {

     

       32
        
           apiVersion = "v1";

     

       33
        
           kind = "Config";

     
···

       245
        
           })

     

       246
        
       

     

       247
        
           (mkIf cfg.kubelet.enable {

     

       248
       +
             virtualisation.containerd = {

     

       249
        
               enable = mkDefault true;

     

       250
       +
               configFile = mkDefault defaultContainerdConfigFile;

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       251
        
             };

     

       252
        
           })

     

       253
        
       

     
···

       287
        
             users.users.kubernetes = {

     

       288
        
               uid = config.ids.uids.kubernetes;

     

       289
        
               description = "Kubernetes user";

     

       0
        
       
     

       290
        
               group = "kubernetes";

     

       291
        
               home = cfg.dataDir;

     

       292
        
               createHome = true;

+2 -38

nixos/modules/services/cluster/kubernetes/flannel.nix

···

       8
        
       

     

       9
        
         # we want flannel to use kubernetes itself as configuration backend, not direct etcd

     

       10
        
         storageBackend = "kubernetes";

     

       11
       -
       

     

       12
       -
         # needed for flannel to pass options to docker

     

       13
       -
         mkDockerOpts = pkgs.runCommand "mk-docker-opts" {

     

       14
       -
           buildInputs = [ pkgs.makeWrapper ];

     

       15
       -
         } ''

     

       16
       -
           mkdir -p $out

     

       17
       -
       

     

       18
       -
           # bashInteractive needed for `compgen`

     

       19
       -
           makeWrapper ${pkgs.bashInteractive}/bin/bash $out/mk-docker-opts --add-flags "${pkgs.kubernetes}/bin/mk-docker-opts.sh"

     

       20
       -
         '';

     

       21
        
       in

     

       22
        
       {

     

       23
        
         ###### interface

     
···

       43
        
               cniVersion = "0.3.1";

     

       44
        
               delegate = {

     

       45
        
                 isDefaultGateway = true;

     

       46
       -
                 bridge = "docker0";

     

       47
        
               };

     

       48
        
             }];

     

       49
        
           };

     

       50
        
       

     

       51
       -
           systemd.services.mk-docker-opts = {

     

       52
       -
             description = "Pre-Docker Actions";

     

       53
       -
             path = with pkgs; [ gawk gnugrep ];

     

       54
       -
             script = ''

     

       55
       -
               ${mkDockerOpts}/mk-docker-opts -d /run/flannel/docker

     

       56
       -
               systemctl restart docker

     

       57
       -
             '';

     

       58
       -
             serviceConfig.Type = "oneshot";

     

       59
       -
           };

     

       60
       -
       

     

       61
       -
           systemd.paths.flannel-subnet-env = {

     

       62
       -
             wantedBy = [ "flannel.service" ];

     

       63
       -
             pathConfig = {

     

       64
       -
               PathModified = "/run/flannel/subnet.env";

     

       65
       -
               Unit = "mk-docker-opts.service";

     

       66
       -
             };

     

       67
       -
           };

     

       68
       -
       

     

       69
       -
           systemd.services.docker = {

     

       70
       -
             environment.DOCKER_OPTS = "-b none";

     

       71
       -
             serviceConfig.EnvironmentFile = "-/run/flannel/docker";

     

       72
       -
           };

     

       73
       -
       

     

       74
       -
           # read environment variables generated by mk-docker-opts

     

       75
       -
           virtualisation.docker.extraOptions = "$DOCKER_OPTS";

     

       76
       -
       

     

       77
        
           networking = {

     

       78
        
             firewall.allowedUDPPorts = [

     

       79
        
               8285  # flannel udp

     

       80
        
               8472  # flannel vxlan

     

       81
        
             ];

     

       82
       -
             dhcpcd.denyInterfaces = [ "docker*" "flannel*" ];

     

       83
        
           };

     

       84
        
       

     

       85
        
           services.kubernetes.pki.certs = {

···

       8
        
       

     

       9
        
         # we want flannel to use kubernetes itself as configuration backend, not direct etcd

     

       10
        
         storageBackend = "kubernetes";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       11
        
       in

     

       12
        
       {

     

       13
        
         ###### interface

     
···

       33
        
               cniVersion = "0.3.1";

     

       34
        
               delegate = {

     

       35
        
                 isDefaultGateway = true;

     

       36
       +
                 bridge = "mynet";

     

       37
        
               };

     

       38
        
             }];

     

       39
        
           };

     

       40
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       41
        
           networking = {

     

       42
        
             firewall.allowedUDPPorts = [

     

       43
        
               8285  # flannel udp

     

       44
        
               8472  # flannel vxlan

     

       45
        
             ];

     

       46
       +
             dhcpcd.denyInterfaces = [ "mynet*" "flannel*" ];

     

       47
        
           };

     

       48
        
       

     

       49
        
           services.kubernetes.pki.certs = {

+20 -7

nixos/modules/services/cluster/kubernetes/kubelet.nix

···

       23
        
           name = "pause";

     

       24
        
           tag = "latest";

     

       25
        
           contents = top.package.pause;

     

       26
       -
           config.Cmd = "/bin/pause";

     

       27
        
         };

     

       28
        
       

     

       29
        
         kubeconfig = top.lib.mkKubeConfig "kubelet" cfg.kubeconfig;

     
···

       134
        
           containerRuntimeEndpoint = mkOption {

     

       135
        
             description = "Endpoint at which to find the container runtime api interface/socket";

     

       136
        
             type = str;

     

       137
       -
             default = "unix:///var/run/docker/containerd/containerd.sock";

     

       138
        
           };

     

       139
        
       

     

       140
        
           enable = mkEnableOption "Kubernetes kubelet.";

     
···

       247
        
         ###### implementation

     

       248
        
         config = mkMerge [

     

       249
        
           (mkIf cfg.enable {

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       250
        
             services.kubernetes.kubelet.seedDockerImages = [infraContainer];

     

       251
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       252
        
             systemd.services.kubelet = {

     

       253
        
               description = "Kubernetes Kubelet Service";

     

       254
        
               wantedBy = [ "kubernetes.target" ];

     

       255
       -
               after = [ "network.target" "kube-apiserver.service" "sockets.target" ];

     

       256
        
               path = with pkgs; [

     

       257
        
                 gitMinimal

     

       258
        
                 openssh

     

       259
       -
                 docker

     

       260
        
                 util-linux

     

       261
        
                 iproute

     

       262
        
                 ethtool

     
···

       266
        
               ] ++ lib.optional config.boot.zfs.enabled config.boot.zfs.package ++ top.path;

     

       267
        
               preStart = ''

     

       268
        
                 ${concatMapStrings (img: ''

     

       269
       -
                   echo "Seeding docker image: ${img}"

     

       270
       -
                   docker load <${img}

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       271
        
                 '') cfg.seedDockerImages}

     

       272
        
       

     

       273
        
                 rm /opt/cni/bin/* || true

     
···

       320
        
                   ${optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \

     

       321
        
                   --container-runtime=${cfg.containerRuntime} \

     

       322
        
                   --container-runtime-endpoint=${cfg.containerRuntimeEndpoint} \

     

       0
        
       
     

       323
        
                   ${cfg.extraOpts}

     

       324
        
                 '';

     

       325
        
                 WorkingDirectory = top.dataDir;

     
···

       329
        
             # Allways include cni plugins

     

       330
        
             services.kubernetes.kubelet.cni.packages = [pkgs.cni-plugins];

     

       331
        
       

     

       332
       -
             boot.kernelModules = ["br_netfilter"];

     

       333
        
       

     

       334
        
             services.kubernetes.kubelet.hostname = with config.networking;

     

       335
        
               mkDefault (hostName + optionalString (domain != null) ".${domain}");

···

       23
        
           name = "pause";

     

       24
        
           tag = "latest";

     

       25
        
           contents = top.package.pause;

     

       26
       +
           config.Cmd = ["/bin/pause"];

     

       27
        
         };

     

       28
        
       

     

       29
        
         kubeconfig = top.lib.mkKubeConfig "kubelet" cfg.kubeconfig;

     
···

       134
        
           containerRuntimeEndpoint = mkOption {

     

       135
        
             description = "Endpoint at which to find the container runtime api interface/socket";

     

       136
        
             type = str;

     

       137
       +
             default = "unix:///var/run/containerd/containerd.sock";

     

       138
        
           };

     

       139
        
       

     

       140
        
           enable = mkEnableOption "Kubernetes kubelet.";

     
···

       247
        
         ###### implementation

     

       248
        
         config = mkMerge [

     

       249
        
           (mkIf cfg.enable {

     

       250
       +
       

     

       251
       +
             environment.etc."cni/net.d".source = cniConfig;

     

       252
       +
       

     

       253
        
             services.kubernetes.kubelet.seedDockerImages = [infraContainer];

     

       254
        
       

     

       255
       +
             boot.kernel.sysctl = {

     

       256
       +
               "net.bridge.bridge-nf-call-iptables"  = 1;

     

       257
       +
               "net.ipv4.ip_forward"                 = 1;

     

       258
       +
               "net.bridge.bridge-nf-call-ip6tables" = 1;

     

       259
       +
             };

     

       260
       +
       

     

       261
        
             systemd.services.kubelet = {

     

       262
        
               description = "Kubernetes Kubelet Service";

     

       263
        
               wantedBy = [ "kubernetes.target" ];

     

       264
       +
               after = [ "containerd.service" "network.target" "kube-apiserver.service" ];

     

       265
        
               path = with pkgs; [

     

       266
        
                 gitMinimal

     

       267
        
                 openssh

     

       0
        
       
     

       268
        
                 util-linux

     

       269
        
                 iproute

     

       270
        
                 ethtool

     
···

       274
        
               ] ++ lib.optional config.boot.zfs.enabled config.boot.zfs.package ++ top.path;

     

       275
        
               preStart = ''

     

       276
        
                 ${concatMapStrings (img: ''

     

       277
       +
                   echo "Seeding container image: ${img}"

     

       278
       +
                   ${if (lib.hasSuffix "gz" img) then

     

       279
       +
                     ''${pkgs.gzip}/bin/zcat "${img}" | ${pkgs.containerd}/bin/ctr -n k8s.io image import -''

     

       280
       +
                   else

     

       281
       +
                     ''${pkgs.coreutils}/bin/cat "${img}" | ${pkgs.containerd}/bin/ctr -n k8s.io image import -''

     

       282
       +
                   }

     

       283
        
                 '') cfg.seedDockerImages}

     

       284
        
       

     

       285
        
                 rm /opt/cni/bin/* || true

     
···

       332
        
                   ${optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \

     

       333
        
                   --container-runtime=${cfg.containerRuntime} \

     

       334
        
                   --container-runtime-endpoint=${cfg.containerRuntimeEndpoint} \

     

       335
       +
                   --cgroup-driver=systemd \

     

       336
        
                   ${cfg.extraOpts}

     

       337
        
                 '';

     

       338
        
                 WorkingDirectory = top.dataDir;

     
···

       342
        
             # Allways include cni plugins

     

       343
        
             services.kubernetes.kubelet.cni.packages = [pkgs.cni-plugins];

     

       344
        
       

     

       345
       +
             boot.kernelModules = ["br_netfilter" "overlay"];

     

       346
        
       

     

       347
        
             services.kubernetes.kubelet.hostname = with config.networking;

     

       348
        
               mkDefault (hostName + optionalString (domain != null) ".${domain}");

+2 -4

nixos/modules/services/networking/flannel.nix

···

       162
        
               NODE_NAME = cfg.nodeName;

     

       163
        
             };

     

       164
        
             path = [ pkgs.iptables ];

     

       165
       -
             preStart = ''

     

       166
       -
               mkdir -p /run/flannel

     

       167
       -
               touch /run/flannel/docker

     

       168
       -
             '' + optionalString (cfg.storageBackend == "etcd") ''

     

       169
        
               echo "setting network configuration"

     

       170
        
               until ${pkgs.etcdctl}/bin/etcdctl set /coreos.com/network/config '${builtins.toJSON networkConfig}'

     

       171
        
               do

     
···

       177
        
               ExecStart = "${cfg.package}/bin/flannel";

     

       178
        
               Restart = "always";

     

       179
        
               RestartSec = "10s";

     

       0
        
       
     

       180
        
             };

     

       181
        
           };

     

       182

···

       162
        
               NODE_NAME = cfg.nodeName;

     

       163
        
             };

     

       164
        
             path = [ pkgs.iptables ];

     

       165
       +
             preStart = optionalString (cfg.storageBackend == "etcd") ''

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       166
        
               echo "setting network configuration"

     

       167
        
               until ${pkgs.etcdctl}/bin/etcdctl set /coreos.com/network/config '${builtins.toJSON networkConfig}'

     

       168
        
               do

     
···

       174
        
               ExecStart = "${cfg.package}/bin/flannel";

     

       175
        
               Restart = "always";

     

       176
        
               RestartSec = "10s";

     

       177
       +
               RuntimeDirectory = "flannel";

     

       178
        
             };

     

       179
        
           };

     

       180

+60

nixos/modules/virtualisation/containerd.nix

···

       1
       +
       { pkgs, lib, config, ... }:

     

       2
       +
       let

     

       3
       +
         cfg = config.virtualisation.containerd;

     

       4
       +
         containerdConfigChecked = pkgs.runCommand "containerd-config-checked.toml" { nativeBuildInputs = [pkgs.containerd]; } ''

     

       5
       +
           containerd -c ${cfg.configFile} config dump >/dev/null

     

       6
       +
           ln -s ${cfg.configFile} $out

     

       7
       +
         '';

     

       8
       +
       in

     

       9
       +
       {

     

       10
       +
       

     

       11
       +
         options.virtualisation.containerd = with lib.types; {

     

       12
       +
           enable = lib.mkEnableOption "containerd container runtime";

     

       13
       +
       

     

       14
       +
           configFile = lib.mkOption {

     

       15
       +
             default = null;

     

       16
       +
             description = "path to containerd config file";

     

       17
       +
             type = nullOr path;

     

       18
       +
           };

     

       19
       +
       

     

       20
       +
           args = lib.mkOption {

     

       21
       +
             default = {};

     

       22
       +
             description = "extra args to append to the containerd cmdline";

     

       23
       +
             type = attrsOf str;

     

       24
       +
           };

     

       25
       +
         };

     

       26
       +
       

     

       27
       +
         config = lib.mkIf cfg.enable {

     

       28
       +
           virtualisation.containerd.args.config = lib.mkIf (cfg.configFile != null) (toString containerdConfigChecked);

     

       29
       +
       

     

       30
       +
           environment.systemPackages = [pkgs.containerd];

     

       31
       +
       

     

       32
       +
           systemd.services.containerd = {

     

       33
       +
             description = "containerd - container runtime";

     

       34
       +
             wantedBy = [ "multi-user.target" ];

     

       35
       +
             after = [ "network.target" ];

     

       36
       +
             path = with pkgs; [

     

       37
       +
               containerd

     

       38
       +
               runc

     

       39
       +
               iptables

     

       40
       +
             ];

     

       41
       +
             serviceConfig = {

     

       42
       +
               ExecStart = ''${pkgs.containerd}/bin/containerd ${lib.concatStringsSep " " (lib.cli.toGNUCommandLine {} cfg.args)}'';

     

       43
       +
               Delegate = "yes";

     

       44
       +
               KillMode = "process";

     

       45
       +
               Type = "notify";

     

       46
       +
               Restart = "always";

     

       47
       +
               RestartSec = "5";

     

       48
       +
               StartLimitBurst = "8";

     

       49
       +
               StartLimitIntervalSec = "120s";

     

       50
       +
       

     

       51
       +
               # "limits" defined below are adopted from upstream: https://github.com/containerd/containerd/blob/master/containerd.service

     

       52
       +
               LimitNPROC = "infinity";

     

       53
       +
               LimitCORE = "infinity";

     

       54
       +
               LimitNOFILE = "infinity";

     

       55
       +
               TasksMax = "infinity";

     

       56
       +
               OOMScoreAdjust = "-999";

     

       57
       +
             };

     

       58
       +
           };

     

       59
       +
         };

     

       60
       +
       }

+7 -8

nixos/tests/kubernetes/dns.nix

···

       34
        
           name = "redis";

     

       35
        
           tag = "latest";

     

       36
        
           contents = [ pkgs.redis pkgs.bind.host ];

     

       37
       -
           config.Entrypoint = "/bin/redis-server";

     

       38
        
         };

     

       39
        
       

     

       40
        
         probePod = pkgs.writeText "probe-pod.json" (builtins.toJSON {

     
···

       55
        
           name = "probe";

     

       56
        
           tag = "latest";

     

       57
        
           contents = [ pkgs.bind.host pkgs.busybox ];

     

       58
       -
           config.Entrypoint = "/bin/tail";

     

       59
        
         };

     

       60
        
       

     

       61
       -
         extraConfiguration = { config, pkgs, ... }: {

     

       62
        
           environment.systemPackages = [ pkgs.bind.host ];

     

       63
       -
           # virtualisation.docker.extraOptions = "--dns=${config.services.kubernetes.addons.dns.clusterIp}";

     

       64
        
           services.dnsmasq.enable = true;

     

       65
        
           services.dnsmasq.servers = [

     

       66
        
             "/cluster.local/${config.services.kubernetes.addons.dns.clusterIp}#53"

     
···

       77
        
             # prepare machine1 for test

     

       78
        
             machine1.wait_until_succeeds("kubectl get node machine1.${domain} | grep -w Ready")

     

       79
        
             machine1.wait_until_succeeds(

     

       80
       -
                 "docker load < ${redisImage}"

     

       81
        
             )

     

       82
        
             machine1.wait_until_succeeds(

     

       83
        
                 "kubectl create -f ${redisPod}"

     
···

       86
        
                 "kubectl create -f ${redisService}"

     

       87
        
             )

     

       88
        
             machine1.wait_until_succeeds(

     

       89
       -
                 "docker load < ${probeImage}"

     

       90
        
             )

     

       91
        
             machine1.wait_until_succeeds(

     

       92
        
                 "kubectl create -f ${probePod}"

     
···

       118
        
             # prepare machines for test

     

       119
        
             machine1.wait_until_succeeds("kubectl get node machine2.${domain} | grep -w Ready")

     

       120
        
             machine2.wait_until_succeeds(

     

       121
       -
                 "docker load < ${redisImage}"

     

       122
        
             )

     

       123
        
             machine1.wait_until_succeeds(

     

       124
        
                 "kubectl create -f ${redisPod}"

     
···

       127
        
                 "kubectl create -f ${redisService}"

     

       128
        
             )

     

       129
        
             machine2.wait_until_succeeds(

     

       130
       -
                 "docker load < ${probeImage}"

     

       131
        
             )

     

       132
        
             machine1.wait_until_succeeds(

     

       133
        
                 "kubectl create -f ${probePod}"

···

       34
        
           name = "redis";

     

       35
        
           tag = "latest";

     

       36
        
           contents = [ pkgs.redis pkgs.bind.host ];

     

       37
       +
           config.Entrypoint = ["/bin/redis-server"];

     

       38
        
         };

     

       39
        
       

     

       40
        
         probePod = pkgs.writeText "probe-pod.json" (builtins.toJSON {

     
···

       55
        
           name = "probe";

     

       56
        
           tag = "latest";

     

       57
        
           contents = [ pkgs.bind.host pkgs.busybox ];

     

       58
       +
           config.Entrypoint = ["/bin/tail"];

     

       59
        
         };

     

       60
        
       

     

       61
       +
         extraConfiguration = { config, pkgs, lib, ... }: {

     

       62
        
           environment.systemPackages = [ pkgs.bind.host ];

     

       0
        
       
     

       63
        
           services.dnsmasq.enable = true;

     

       64
        
           services.dnsmasq.servers = [

     

       65
        
             "/cluster.local/${config.services.kubernetes.addons.dns.clusterIp}#53"

     
···

       76
        
             # prepare machine1 for test

     

       77
        
             machine1.wait_until_succeeds("kubectl get node machine1.${domain} | grep -w Ready")

     

       78
        
             machine1.wait_until_succeeds(

     

       79
       +
                 "${pkgs.gzip}/bin/zcat ${redisImage} | ${pkgs.containerd}/bin/ctr -n k8s.io image import -"

     

       80
        
             )

     

       81
        
             machine1.wait_until_succeeds(

     

       82
        
                 "kubectl create -f ${redisPod}"

     
···

       85
        
                 "kubectl create -f ${redisService}"

     

       86
        
             )

     

       87
        
             machine1.wait_until_succeeds(

     

       88
       +
                 "${pkgs.gzip}/bin/zcat ${probeImage} | ${pkgs.containerd}/bin/ctr -n k8s.io image import -"

     

       89
        
             )

     

       90
        
             machine1.wait_until_succeeds(

     

       91
        
                 "kubectl create -f ${probePod}"

     
···

       117
        
             # prepare machines for test

     

       118
        
             machine1.wait_until_succeeds("kubectl get node machine2.${domain} | grep -w Ready")

     

       119
        
             machine2.wait_until_succeeds(

     

       120
       +
                 "${pkgs.gzip}/bin/zcat ${redisImage} | ${pkgs.containerd}/bin/ctr -n k8s.io image import -"

     

       121
        
             )

     

       122
        
             machine1.wait_until_succeeds(

     

       123
        
                 "kubectl create -f ${redisPod}"

     
···

       126
        
                 "kubectl create -f ${redisService}"

     

       127
        
             )

     

       128
        
             machine2.wait_until_succeeds(

     

       129
       +
                 "${pkgs.gzip}/bin/zcat ${probeImage} | ${pkgs.containerd}/bin/ctr -n k8s.io image import -"

     

       130
        
             )

     

       131
        
             machine1.wait_until_succeeds(

     

       132
        
                 "kubectl create -f ${probePod}"

+3 -3

nixos/tests/kubernetes/rbac.nix

···

       85
        
           name = "kubectl";

     

       86
        
           tag = "latest";

     

       87
        
           contents = [ kubectl pkgs.busybox kubectlPod2 ];

     

       88
       -
           config.Entrypoint = "/bin/sh";

     

       89
        
         };

     

       90
        
       

     

       91
        
         base = {

     
···

       97
        
             machine1.wait_until_succeeds("kubectl get node machine1.my.zyx | grep -w Ready")

     

       98
        
       

     

       99
        
             machine1.wait_until_succeeds(

     

       100
       -
                 "docker load < ${kubectlImage}"

     

       101
        
             )

     

       102
        
       

     

       103
        
             machine1.wait_until_succeeds(

     
···

       134
        
             machine1.wait_until_succeeds("kubectl get node machine2.my.zyx | grep -w Ready")

     

       135
        
       

     

       136
        
             machine2.wait_until_succeeds(

     

       137
       -
                 "docker load < ${kubectlImage}"

     

       138
        
             )

     

       139
        
       

     

       140
        
             machine1.wait_until_succeeds(

···

       85
        
           name = "kubectl";

     

       86
        
           tag = "latest";

     

       87
        
           contents = [ kubectl pkgs.busybox kubectlPod2 ];

     

       88
       +
           config.Entrypoint = ["/bin/sh"];

     

       89
        
         };

     

       90
        
       

     

       91
        
         base = {

     
···

       97
        
             machine1.wait_until_succeeds("kubectl get node machine1.my.zyx | grep -w Ready")

     

       98
        
       

     

       99
        
             machine1.wait_until_succeeds(

     

       100
       +
                 "${pkgs.gzip}/bin/zcat ${kubectlImage} | ${pkgs.containerd}/bin/ctr -n k8s.io image import -"

     

       101
        
             )

     

       102
        
       

     

       103
        
             machine1.wait_until_succeeds(

     
···

       134
        
             machine1.wait_until_succeeds("kubectl get node machine2.my.zyx | grep -w Ready")

     

       135
        
       

     

       136
        
             machine2.wait_until_succeeds(

     

       137
       +
                 "${pkgs.gzip}/bin/zcat ${kubectlImage} | ${pkgs.containerd}/bin/ctr -n k8s.io image import -"

     

       138
        
             )

     

       139
        
       

     

       140
        
             machine1.wait_until_succeeds(

-2

pkgs/applications/networking/cluster/kubernetes/default.nix

···

       77
        
       

     

       78
        
           cp cluster/addons/addon-manager/kube-addons.sh $out/bin/kube-addons-lib.sh

     

       79
        
       

     

       80
       -
           cp ${./mk-docker-opts.sh} $out/bin/mk-docker-opts.sh

     

       81
       -
       

     

       82
        
           for tool in kubeadm kubectl; do

     

       83
        
             installShellCompletion --cmd $tool \

     

       84
        
               --bash <($out/bin/$tool completion bash) \

···

       77
        
       

     

       78
        
           cp cluster/addons/addon-manager/kube-addons.sh $out/bin/kube-addons-lib.sh

     

       79
        
       

     

       0
        
       
     

       0
        
       
     

       80
        
           for tool in kubeadm kubectl; do

     

       81
        
             installShellCompletion --cmd $tool \

     

       82
        
               --bash <($out/bin/$tool completion bash) \

-113

pkgs/applications/networking/cluster/kubernetes/mk-docker-opts.sh

···

       1
       -
       #!/usr/bin/env bash

     

       2
       -
       

     

       3
       -
       # Copyright 2014 The Kubernetes Authors.

     

       4
       -
       #

     

       5
       -
       # Licensed under the Apache License, Version 2.0 (the "License");

     

       6
       -
       # you may not use this file except in compliance with the License.

     

       7
       -
       # You may obtain a copy of the License at

     

       8
       -
       #

     

       9
       -
       #     http://www.apache.org/licenses/LICENSE-2.0

     

       10
       -
       #

     

       11
       -
       # Unless required by applicable law or agreed to in writing, software

     

       12
       -
       # distributed under the License is distributed on an "AS IS" BASIS,

     

       13
       -
       # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

     

       14
       -
       # See the License for the specific language governing permissions and

     

       15
       -
       # limitations under the License.

     

       16
       -
       

     

       17
       -
       # Generate Docker daemon options based on flannel env file.

     

       18
       -
       

     

       19
       -
       # exit on any error

     

       20
       -
       set -e

     

       21
       -
       

     

       22
       -
       usage() {

     

       23
       -
         echo "$0 [-f FLANNEL-ENV-FILE] [-d DOCKER-ENV-FILE] [-i] [-c] [-m] [-k COMBINED-KEY]

     

       24
       -
       

     

       25
       -
       Generate Docker daemon options based on flannel env file

     

       26
       -
       OPTIONS:

     

       27
       -
           -f  Path to flannel env file. Defaults to /run/flannel/subnet.env

     

       28
       -
           -d  Path to Docker env file to write to. Defaults to /run/docker_opts.env

     

       29
       -
           -i  Output each Docker option as individual var. e.g. DOCKER_OPT_MTU=1500

     

       30
       -
           -c  Output combined Docker options into DOCKER_OPTS var

     

       31
       -
           -k  Set the combined options key to this value (default DOCKER_OPTS=)

     

       32
       -
           -m  Do not output --ip-masq (useful for older Docker version)

     

       33
       -
       " >/dev/stderr

     

       34
       -
         exit 1

     

       35
       -
       }

     

       36
       -
       

     

       37
       -
       flannel_env="/run/flannel/subnet.env"

     

       38
       -
       docker_env="/run/docker_opts.env"

     

       39
       -
       combined_opts_key="DOCKER_OPTS"

     

       40
       -
       indiv_opts=false

     

       41
       -
       combined_opts=false

     

       42
       -
       ipmasq=true

     

       43
       -
       val=""

     

       44
       -
       

     

       45
       -
       while getopts "f:d:icmk:" opt; do

     

       46
       -
         case $opt in

     

       47
       -
           f)

     

       48
       -
             flannel_env=$OPTARG

     

       49
       -
             ;;

     

       50
       -
           d)

     

       51
       -
             docker_env=$OPTARG

     

       52
       -
             ;;

     

       53
       -
           i)

     

       54
       -
             indiv_opts=true

     

       55
       -
             ;;

     

       56
       -
           c)

     

       57
       -
             combined_opts=true

     

       58
       -
             ;;

     

       59
       -
           m)

     

       60
       -
             ipmasq=false

     

       61
       -
             ;;

     

       62
       -
           k)

     

       63
       -
             combined_opts_key=$OPTARG

     

       64
       -
             ;;

     

       65
       -
           \?)

     

       66
       -
             usage

     

       67
       -
             ;;

     

       68
       -
         esac

     

       69
       -
       done

     

       70
       -
       

     

       71
       -
       if [[ $indiv_opts = false ]] && [[ $combined_opts = false ]]; then

     

       72
       -
         indiv_opts=true

     

       73
       -
         combined_opts=true

     

       74
       -
       fi

     

       75
       -
       

     

       76
       -
       if [[ -f "${flannel_env}" ]]; then

     

       77
       -
         source "${flannel_env}"

     

       78
       -
       fi

     

       79
       -
       

     

       80
       -
       if [[ -n "$FLANNEL_SUBNET" ]]; then

     

       81
       -
         # shellcheck disable=SC2034  # Variable name referenced in OPT_LOOP below

     

       82
       -
         DOCKER_OPT_BIP="--bip=$FLANNEL_SUBNET"

     

       83
       -
       fi

     

       84
       -
       

     

       85
       -
       if [[ -n "$FLANNEL_MTU" ]]; then

     

       86
       -
         # shellcheck disable=SC2034  # Variable name referenced in OPT_LOOP below

     

       87
       -
         DOCKER_OPT_MTU="--mtu=$FLANNEL_MTU"

     

       88
       -
       fi

     

       89
       -
       

     

       90
       -
       if [[ "$FLANNEL_IPMASQ" = true ]] && [[ $ipmasq = true ]]; then

     

       91
       -
         # shellcheck disable=SC2034  # Variable name referenced in OPT_LOOP below

     

       92
       -
         DOCKER_OPT_IPMASQ="--ip-masq=false"

     

       93
       -
       fi

     

       94
       -
       

     

       95
       -
       eval docker_opts="\$${combined_opts_key}"

     

       96
       -
       docker_opts+=" "

     

       97
       -
       

     

       98
       -
       echo -n "" >"${docker_env}"

     

       99
       -
       

     

       100
       -
       # OPT_LOOP

     

       101
       -
       for opt in $(compgen -v DOCKER_OPT_); do

     

       102
       -
         eval val=\$"${opt}"

     

       103
       -
       

     

       104
       -
         if [[ "$indiv_opts" = true ]]; then

     

       105
       -
           echo "$opt=\"$val\"" >>"${docker_env}"

     

       106
       -
         fi

     

       107
       -
       

     

       108
       -
         docker_opts+="$val "

     

       109
       -
       done

     

       110
       -
       

     

       111
       -
       if [[ "$combined_opts" = true ]]; then

     

       112
       -
         echo "${combined_opts_key}=\"${docker_opts}\"" >>"${docker_env}"

     

       113
       -
       fi