group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1664638] Re: Need an interface for kubernetes

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1664638@xxxxxxxxxxxxxxxxxx>
Date: Fri, 12 May 2017 17:05:51 -0000
Reply-to: Bug 1664638 <1664638@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package snapd - 2.26.1+17.10

---------------
snapd (2.26.1+17.10) artful; urgency=medium

  * New upstream release, LP: #1690083
    - store: fix panic error in auth
    - tests: the new ubuntu-image snap needs classic confinement, adjust
      tests
    - cmd/snap-confine: don't fail on pre 3.8 kernel

snapd (2.26) xenial; urgency=medium

  * New upstream release, LP: #1690083
    - timeutil: avoid panicking when the window is very small
    - image: fix go vet issue
    - overlord/ifacestate: don't spam logs with harmless auto-connect
      messages
    - interfaces/builtin: add network-status interface
    - interfaces/builtin: add online-accounts-service interface
    - interfaces/builtin: distribute code of touching allInterfaces
    - interfaces: API additions for interface hooks
    - interfaces/builtin: add storage-framework-service interface
    - tests: disable create-key test on ppc64el for artful (expect not
      working)
    - snap: make `snap prepare-image --extra-snaps` derive side info
    - tests: unify tests/{main/completion,completion}/lib.exp0
    - cmd/snap: tweak info channels output
    - interfaces: ensure that legacy interface methods are unused
    - packaging: cleanup how built-using is generated
    - tests: extend kernel-module-control interface test
    - interfaces/network: workaround Go's need for NETLINK_ROUTE with
      'net'.
    - cmd/snap-confine: use defensive argument parser
    - tests: add test for empty snap name on revert
    - overlord/hookstate: remove unused Context.timeout
    - tests: additional setup in docker test for core systems
    - configstate: return error if patch is invalid
    - interfaces: add random interface
    - store, daemon, client, cmd/snap: handle PASSWORD_POLICY_ERROR
    - cmd/snap, client: add "whoami" command
    - cmd/snap: iterate interface tab completion
    - snap: move locale-control to only be present on classic
    - interfaces/browser-support: deny read on squashfs backing files
      and LVM vg names
    - tests: wait for the docker socket to be listening
    - snap: add `snap refresh --time` option
    - tests: re-enable and moderninze /media sharing test
    - cmd: make rst2man optional
    - tests: remove quoting from [[ ]] when globs
    - interfaces: allow plugging DBus clients to introspect the slot
      service
    - packaging/ubuntu*/changelog: drop extra dash
    - snap-confine: init the ENTRY variable, coverity is unhappy
      otherwise
    - cmd/snap-confine/spread-tests: discard useless --version test
    - spread: add spread target qemu:debian-9-64
    - interfaces: mediate netlink sockets via seccomp
    - tests,cmd/snap-confine: port older snapd-discard-ns tests
    - cmd/snap-confine/tests: fix shellcheck on recently added files
    - tests/upgrade: force install core snap from beta for debian
    - overlord/snapstate/backend,interfaces/mount: move ns management
      code.
    - tests: extend network-control spread test to cope with network
      namespaces
    - tests: fail early in the spread suite if trying to run it inside a
      container
    - tests: set ownership of $PROJECT_PATH for the external backend
    - tests: specify the auto-refreshable snap being tested
    - many: fix tests with go1.8 / artful
    - fix for tests: debian does not have /snap/bin in secure_path so
      sudo
    - snap: support for snap tasks --last=...
    - cmd/snap-confine: remove obsolete debug message
    - address review feedback, add a lot of comments :-), call
      shellcheck on the completion scripts, fix a bug in compopt

 -- Michael Vogt <michael.vogt@xxxxxxxxxx>  Thu, 11 May 2017 21:44:27
+0200

** Changed in: snapd (Ubuntu Artful)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1664638

Title:
  Need an interface for kubernetes

Status in snapd:
  Fix Released
Status in snapd package in Ubuntu:
  Fix Released
Status in snapd source package in Trusty:
  Fix Committed
Status in snapd source package in Xenial:
  Fix Committed
Status in snapd source package in Yakkety:
  Fix Committed
Status in snapd source package in Zesty:
  Fix Committed
Status in snapd source package in Artful:
  Fix Released

Bug description:
  Working on creating a confined snap for kubelet. We're seeing a lot of
  denials. At least the following is needed to make kubelet work with
  the attached script:

  1. adjust kubelet to 'plugs: [ log-observe, mount-observe ]'

  2. adjust kubelet to make /var/log/containers snap-specific

  3. modprobe llc stp bridge br_netfilter

  4. create a kubernetes-support interface that allows (at least):

  # what is this for?
  #include <abstractions/dbus-strict>

  capability sys_resource,

  @{PROC}/diskstats r,
  @{PROC}/@{pid}/cmdline r,
  @{PROC}/@{pid}/cgroup r,
  /sys/fs/cgroup/{,**} r,

  /sys/kernel/mm/hugepages/ r,
  @{PROC}/sys/kernel/random/boot_id r, # fixed already

  @{PROC}/sys/kernel/panic_on_oops rw,
  @{PROC}/sys/kernel/panic rw,
  @{PROC}/sys/kernel/keys/root_maxbytes r,
  @{PROC}/sys/kernel/keys/root_maxkeys r,
  @{PROC}/sys/vm/panic_on_oom r,
  @{PROC}/sys/vm/overcommit_memory rw,
  @{PROC}/@{pid}/oom_score_adj rw,

  # modprobe llc, stp, bridge, br_netfilter
  /sys/module/llc/initstate r,
  /sys/module/stp/initstate r,
  /sys/module/bridge/initstate r,
  /sys/module/br_netfilter/initstate r,
  @{PROC}/sys/net/bridge/bridge-nf-call-iptables rw,
  # seccomp blocks module loading, this is for listing
  /sys/module/apparmor/parameters/enabled r,
  /bin/kmod ixr,
  /etc/modprobe.d/{,**} r,

  ptrace (read, trace) peer=docker-default,
  ptrace (read, trace) peer=unconfined, # hrmm
  ptrace (read, trace) peer=snap.docker.dockerd,

  /bin/journalctl ixr,

  # make snap-specific
  /var/log/containers/{,**} rw,

  I'll put up a preliminary PR that implements the apparmor and kernel
  module policy so that people can play with this. In the meantime,
  after updating the kubelet snap to plugs log-observe and mount-observe
  and connect them, people can:

  $ sudo modprobe llc stp bridge br_netfilter
  # add the above policy to /var/lib/snapd/apparmor/profiles/snap.kubelet.kubelet the run:
  $ sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.kubelet.kubelet

  Locally at this point kubelet is spinning look for the api service so
  I can't see what other accesses are required.

  = Original description =
  Working on creating a confined snap for kubelet. We're seeing a lot of errors trying to open files relating to cgroups:

  /proc/self/cgroup
  /sys/fs/cgroup/cpu,cpuacct/cpu.shares
  /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us
  /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us
  /sys/fs/cgroup/memory/memory.limit_in_bytes
  /sys/fs/cgroup/memory/memory.soft_limit_in_bytes
  /sys/fs/cgroup/blkio
  /sys/fs/cgroup/memory
  /sys/fs/cgroup/cpuset

  The last three result in a hard failure of kubelet. There may be other
  files as well.

  Based on snappy-debug output, it looks like it's opening these files
  with the "r" flag, but I imagine it may need write access to some of
  these as well. I'm not sure.

  For some context, kubelet is the main process that runs on each node
  in a Kubernetes cluster. Its main purpose is to orchestrate Docker
  containers, and it looks like it's using cgroups for tight control
  over the utilization of hardware resources.

To manage notifications about this bug go to:
https://bugs.launchpad.net/snapd/+bug/1664638/+subscriptions