change permission for product_serial (#162)

* change permission for product_serial - copy to kube-apiserver pre-start - needed to address race condition where product_serial can't be read - moved the cloud-provider permissions checks out to their own common package [#154366287]
cloudfoundry-incubator · Jan 24, 2018 · 273d321 · 273d321
1 parent 19a269d
commit 273d321
Show file tree

Hide file tree

Showing 9 changed files with 38 additions and 33 deletions.
diff --git a/jobs/kube-apiserver/spec b/jobs/kube-apiserver/spec
@@ -13,6 +13,7 @@ templates:
   config/etcd-client.key.erb: config/etcd-client.key
 
 packages:
+- kubo-common
 - pid_utils
 - kubernetes
 

diff --git a/jobs/kube-apiserver/templates/bin/kube_apiserver_ctl.erb b/jobs/kube-apiserver/templates/bin/kube_apiserver_ctl.erb
@@ -8,17 +8,9 @@ RUN_DIR=/var/vcap/sys/run/kubernetes
 PIDFILE=$RUN_DIR/kube-apiserver.pid
 LOG_DIR=/var/vcap/sys/log/kube-apiserver
 
-if [ -e /var/vcap/jobs/cloud-provider/bin/cloud-provider_utils ]; then
-  . /var/vcap/jobs/cloud-provider/bin/cloud-provider_utils
-  set_cloud_provider
-  cloud_config="/var/vcap/jobs/cloud-provider/config/cloud-provider.ini"
-else
-  cloud_provider=""
-  cloud_config=""
-fi
-
 # shellcheck disable=SC1091
 . /var/vcap/packages/pid_utils/pid_utils.sh
+.  /var/vcap/packages/kubo-common/utils.sh
 
 setup_directories() {
   mkdir -p "$RUN_DIR" "$LOG_DIR"
@@ -34,6 +26,9 @@ send_process_stderr_to_logfile() {
 }
 
 start_kube_apiserver() {
+  detect_cloud_config
+  check_and_chmod_product_serial $cloud_provider
+
 <%
   etcd_endpoints = link("etcd").instances.map do |instance|
     # See kubo-dns-aliases/dns/aliases.json

diff --git a/jobs/kube-controller-manager/spec b/jobs/kube-controller-manager/spec
@@ -10,6 +10,7 @@ templates:
 packages:
 - pid_utils
 - kubernetes
+- kubo-common
 
 properties:
   api-token:

diff --git a/jobs/kube-controller-manager/templates/bin/kube_controller_manager_ctl.erb b/jobs/kube-controller-manager/templates/bin/kube_controller_manager_ctl.erb
@@ -8,17 +8,9 @@ RUN_DIR=/var/vcap/sys/run/kubernetes
 PIDFILE=$RUN_DIR/kube-controller-manager.pid
 LOG_DIR=/var/vcap/sys/log/kube-controller-manager
 
-if [ -e /var/vcap/jobs/cloud-provider/bin/cloud-provider_utils ]; then
-  . /var/vcap/jobs/cloud-provider/bin/cloud-provider_utils
-  set_cloud_provider
-  cloud_config="/var/vcap/jobs/cloud-provider/config/cloud-provider.ini"
-else
-  cloud_provider=""
-  cloud_config=""
-fi
-
 # shellcheck disable=SC1091
 . /var/vcap/packages/pid_utils/pid_utils.sh
+. /var/vcap/packages/kubo-common/utils.sh
 
 setup_directories() {
   mkdir -p "$RUN_DIR" "$LOG_DIR"
@@ -35,9 +27,8 @@ send_process_stderr_to_logfile() {
 
 start_kube_controller_manager() {
 
-  if [ "${cloud_provider}" != "" ] && [ -f /sys/class/dmi/id/product_serial ]; then
-    chmod a+r /sys/class/dmi/id/product_serial
-  fi
+  detect_cloud_config
+  check_and_chmod_product_serial $cloud_provider
 
   exec chpst -u vcap:vcap  \
     kube-controller-manager \

diff --git a/jobs/kubelet/spec b/jobs/kubelet/spec
@@ -13,6 +13,7 @@ templates:
   config/ca.pem.erb: config/ca.pem
 
 packages:
+- kubo-common
 - pid_utils
 - kubernetes
 - cni

diff --git a/jobs/kubelet/templates/bin/pre-start.erb b/jobs/kubelet/templates/bin/pre-start.erb
@@ -5,28 +5,18 @@ set -exu -o pipefail
 CONF_DIR=/var/vcap/jobs/kubelet/config
 PKG_DIR=/var/vcap/packages/kubernetes
 
+source /var/vcap/packages/kubo-common/utils.sh
+
 get_cloud_property() {
   local property_name="${1}="
   local prefix_length=$(echo "${property_name}" | wc -c | tr -d ' ')
   grep "${property_name}" "${cloud_config}" | tr -d '"' | cut -c${prefix_length}-
 }
 
-detect_cloud_config() {
-  if [ -e /var/vcap/jobs/cloud-provider/bin/cloud-provider_utils ]; then
-    source /var/vcap/jobs/cloud-provider/bin/cloud-provider_utils
-    set_cloud_provider
-    cloud_config="/var/vcap/jobs/cloud-provider/config/cloud-provider.ini"
-  else
-    cloud_config=""
-    cloud_provider=""
-  fi
-}
-
 shutdown_rpcbind_if_its_running() {
   /etc/init.d/rpcbind stop || echo Already stopped.
 }
 
-
 update_vsphere_vms() {
    export GOVC_URL="$(get_cloud_property "server"):$(get_cloud_property "port")"
    export GOVC_USERNAME="$(get_cloud_property "user" | sed 's/\\\\/\\/g')"

diff --git a/packages/kubo-common/packaging b/packages/kubo-common/packaging
@@ -0,0 +1,3 @@
+set -e -x
+
+cp -a kubo-common/* ${BOSH_INSTALL_TARGET}
diff --git a/packages/kubo-common/spec b/packages/kubo-common/spec
@@ -0,0 +1,4 @@
+---
+name: kubo-common
+files:
+- kubo-common/utils.sh
diff --git a/src/kubo-common/utils.sh b/src/kubo-common/utils.sh
@@ -0,0 +1,19 @@
+#!/bin/bash -exu
+
+detect_cloud_config() {
+  if [ -e /var/vcap/jobs/cloud-provider/bin/cloud-provider_utils ]; then
+    source /var/vcap/jobs/cloud-provider/bin/cloud-provider_utils
+    set_cloud_provider
+    cloud_config="/var/vcap/jobs/cloud-provider/config/cloud-provider.ini"
+  else
+    cloud_config=""
+    cloud_provider=""
+  fi
+}
+
+check_and_chmod_product_serial() {
+  local cloud_provider=$1
+  if [ "$cloud_provider" != "" ] && [ -f /sys/class/dmi/id/product_serial ]; then
+    chmod a+r /sys/class/dmi/id/product_serial
+  fi
+}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		set -e -x

		cp -a kubo-common/* ${BOSH_INSTALL_TARGET}