-
Notifications
You must be signed in to change notification settings - Fork 372
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using cilium in Docker requires patching mounts #5286
Comments
The new entrypoint script will only try to remount the cgroup fs if it's read-only. Since you're running the container with That said, the script and the docs are not covering anything BPF related. They're tailored to make the things work that are part of stock k0s. So if you know what's necessary to make cilium work for you inside Docker, then this might be worth an additional section in the docs. |
Thanks for replying! Adding + mount --make-rslave /
+ cat /proc/mounts
+ grep sys
sysfs /sys sysfs rw,nosuid,nodev,noexec,relatime 0 0
cgroup /sys/fs/cgroup cgroup2 rw,nosuid,nodev,noexec,relatime 0 0
+ mount -o remount,rw /sys/fs/cgroup
mount: can't find /sys/fs/cgroup in /proc/mounts When I don't use the k0s entrypoint at all, but instead rely on k3d entrypoints then my cilium setup works as expected (without using #!/bin/bash
set -euo pipefail
KUBE_API_SERVER=https://localhost:6443
docker compose --verbose -f - up --build -d <<EOF
services:
k0s:
# Don't use the included k0s entrypoint
entrypoint: sh
# Add the k3d entrypoints to fix the cgroups and mounts
build:
context: .
dockerfile_inline: |
FROM docker.io/k0sproject/k0s:v1.31.2-k0s.0
# Add k3d entrypoints
ADD --chmod=0755 https://raw.githubusercontent.com/k3d-io/k3d/60695db835ea8d3f0f6c95cc320a068d8aa5c44d/pkg/types/fixes/assets/k3d-entrypoint-cgroupv2.sh /entrypoint-cgroupv2.sh
ADD --chmod=0755 https://raw.githubusercontent.com/k3d-io/k3d/8d54019838f3a516e6f28fdb5ac15aff2246986e/pkg/types/fixes/assets/k3d-entrypoint-mounts.sh /entrypoint-mounts.sh
command: |-
-c '
set -euxo pipefail
# Run the k3d entrypoints to fix the cgroups and mounts
./entrypoint-cgroupv2.sh
./entrypoint-mounts.sh
k0s controller --single \
--disable-components metrics-server \
--config=/etc/k0s/k0s.yaml \
'
volumes:
- /var/lib/k0s
- /var/log/pods
- /lib/modules:/lib/modules:ro # required to get cilium working
container_name: k0s
hostname: k0s
privileged: true
tmpfs:
- /run
- /tmp
ports:
- 80:80
- 443:443
- 6443:6443
network_mode: "bridge"
restart: no
configs:
- source: k0s.yaml
target: /etc/k0s/k0s.yaml
configs:
k0s.yaml:
content: |
apiVersion: k0s.k0sproject.io/v1beta1
kind: ClusterConfig
metadata:
name: k0s
spec:
telemetry:
enabled: false
network:
kubeProxy:
disabled: true
provider: custom
api:
sans:
- localhost
EOF
while [ ! "$(curl -k -s -o /dev/null -w "%{http_code}" https://localhost:6443)" -eq 401 ]; do
echo "Sleep..."
sleep 1
done
KUBECONFIG=$(mktemp -t kubeconfig)
export KUBECONFIG
docker exec k0s k0s kubeconfig admin >"$KUBECONFIG"
kubectl config set clusters.local.server "$KUBE_API_SERVER"
echo "Written kubeconfig to: $KUBECONFIG"
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.1.0/config/crd/standard/gateway.networking.k8s.io_gatewayclasses.yaml
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.1.0/config/crd/standard/gateway.networking.k8s.io_gateways.yaml
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.1.0/config/crd/standard/gateway.networking.k8s.io_httproutes.yaml
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.1.0/config/crd/standard/gateway.networking.k8s.io_referencegrants.yaml
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.1.0/config/crd/standard/gateway.networking.k8s.io_grpcroutes.yaml
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.1.0/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml
cilium install --version 1.16.4 \
--set k8sServiceHost=localhost \
--set k8sServicePort=6443 \
--set kubeProxyReplacement=true \
--set gatewayAPI.enabled=true \
--set gatewayAPI.hostNetwork.enabled=true \
--set envoy.securityContext.capabilities.keepCapNetBindService=true \
--set cgroup.autoMount.enabled=false \
--set cgroup.hostRoot=/sys/fs/cgroup
cilium status --wait --wait-duration=10m
# Apply the echo example from https://docs.cilium.io/en/stable/network/servicemesh/gateway-api/splitting/
kubectl apply -f https://raw.githubusercontent.com/cilium/cilium/1.16.4/examples/kubernetes/gateway/echo.yaml
kubectl apply -f https://raw.githubusercontent.com/cilium/cilium/1.16.4/examples/kubernetes/gateway/splitting.yaml
# Wait for details deployments to be ready
kubectl rollout status deployment echo-1
kubectl rollout status deployment echo-2
sleep 1
curl --fail -s http://localhost/echo && echo "Cilium working as expected!"
Could the steps the k3d entrypoints perform (or functionally equal) be added to the k0s entrypoint? |
Turns out the new entrypoint already covers fixing the cgroups through the So the only change/addition required to the entrypoint to make cilium work in docker is running:
Which is what k3d has been doing for a while now. Could this please be included in the new entrypoint? Working example with the new entrypoint, without #!/bin/bash
set -euo pipefail
KUBE_API_SERVER=https://localhost:6443
docker compose --verbose -f - up --build -d <<EOF
services:
k0s:
build:
context: .
dockerfile_inline: |
FROM docker.io/k0sproject/k0s:v1.31.2-k0s.0
# Use the new entrypoint script
ADD --chmod=0755 https://raw.githubusercontent.com/k0sproject/k0s/18d3545594b8abac7e50aa70720dea44337f25fa/docker-entrypoint.sh /entrypoint.sh
command: |-
sh -c '
set -euxo pipefail
# This command is required in order to fix cilium inside the container
mount --make-rshared /
k0s controller --single \
--disable-components metrics-server \
--config=/etc/k0s/k0s.yaml \
'
volumes:
- /var/lib/k0s
- /var/log/pods
- /lib/modules:/lib/modules:ro # required to get cilium working
container_name: k0s
hostname: k0s
privileged: true
tmpfs:
- /run
- /tmp
ports:
- 80:80
- 443:443
- 6443:6443
network_mode: "bridge"
restart: no
environment:
# Role currently can't be auto-detected since I'm using sh -c to run additional commands
# before starting k0s itself
K0S_ENTRYPOINT_ROLE: controller+worker
configs:
- source: k0s.yaml
target: /etc/k0s/k0s.yaml
configs:
k0s.yaml:
content: |
apiVersion: k0s.k0sproject.io/v1beta1
kind: ClusterConfig
metadata:
name: k0s
spec:
telemetry:
enabled: false
network:
kubeProxy:
disabled: true
provider: custom
api:
sans:
- localhost
EOF
while [ ! "$(curl -k -s -o /dev/null -w "%{http_code}" https://localhost:6443)" -eq 401 ]; do
echo "Sleep..."
sleep 1
done
KUBECONFIG=$(mktemp -t kubeconfig)
export KUBECONFIG
docker exec k0s k0s kubeconfig admin >"$KUBECONFIG"
kubectl config set clusters.local.server "$KUBE_API_SERVER"
echo "Written kubeconfig to: $KUBECONFIG"
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.1.0/config/crd/standard/gateway.networking.k8s.io_gatewayclasses.yaml
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.1.0/config/crd/standard/gateway.networking.k8s.io_gateways.yaml
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.1.0/config/crd/standard/gateway.networking.k8s.io_httproutes.yaml
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.1.0/config/crd/standard/gateway.networking.k8s.io_referencegrants.yaml
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.1.0/config/crd/standard/gateway.networking.k8s.io_grpcroutes.yaml
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.1.0/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml
cilium install --version 1.16.4 \
--set k8sServiceHost=localhost \
--set k8sServicePort=6443 \
--set kubeProxyReplacement=true \
--set gatewayAPI.enabled=true \
--set gatewayAPI.hostNetwork.enabled=true \
--set envoy.securityContext.capabilities.keepCapNetBindService=true \
--set cgroup.autoMount.enabled=false \
--set cgroup.hostRoot=/sys/fs/cgroup
cilium status --wait --wait-duration=10m
# Apply the echo example from https://docs.cilium.io/en/stable/network/servicemesh/gateway-api/splitting/
kubectl apply -f https://raw.githubusercontent.com/cilium/cilium/1.16.4/examples/kubernetes/gateway/echo.yaml
kubectl apply -f https://raw.githubusercontent.com/cilium/cilium/1.16.4/examples/kubernetes/gateway/splitting.yaml
# Wait for details deployments to be ready
kubectl rollout status deployment echo-1
kubectl rollout status deployment echo-2
sleep 1
curl --fail -s http://localhost/echo && echo "Cilium working as expected!"
|
Perhaps like this? I didn't have time yet to make a PR and meet all the contributor requirements. |
Before creating an issue, make sure you've checked the following:
Platform
`docker info`
Version
v1.31.2+k0s.0
Sysinfo
`k0s sysinfo`
What happened?
I've tried the latest k0s version with the new entrypoint script by @twz123. I was hoping it would fix the issues I'm having with running k0s + cilium but unfortunately the entrypoint doesn't solve them. The log is full with these errors:
And the cilium pods never start.
Steps to reproduce
Run this script to reproduce the issue:
Expected behavior
For cilium pods to come up and the script to continue past
cilium status --wait --wait-duration=10m
.Actual behavior
The script times out waiting for cilium pods to come up.
Screenshots and logs
No response
Additional context
This below version of the script has the workarounds in place to make cilium work:
cgroup: host
in the compose filemount --make-rshared /
as part of the entrypointWith just
mount --make-rshared /
and not usingcgroup: host
I still run into these errors (and cilium pods don't start):Working script:
References:
The text was updated successfully, but these errors were encountered: