install/kubernetes: Remove sh and mount dependency from init cont…

…ainer The mount-cgroup init container runs a mount command on the underlying host using `nsenter`. However, certain distros like Talos don't have `sh` or `mount` utilities available. Hence, move the logic to check and mount cgroup2 fs to a statically linked Go program binary. Fixes: fa8bea4 ("cilium-daemonset: Fix ineffective socket-lb caused by incorrect cgroup2 fs mount") Signed-off-by: Aditi Ghag <aditi@cilium.io>
gazandic · Jul 8, 2021 · a76bbde · a76bbde
1 parent eecca2e
commit a76bbde
Show file tree

Hide file tree

Showing 6 changed files with 76 additions and 8 deletions.
diff --git a/Makefile b/Makefile
@@ -12,7 +12,7 @@ debug: all
 
 include Makefile.defs
 
-SUBDIRS_CILIUM_CONTAINER := proxylib envoy bpf cilium daemon cilium-health bugtool
+SUBDIRS_CILIUM_CONTAINER := proxylib envoy bpf cilium daemon cilium-health bugtool tools/mount
 SUBDIRS := $(SUBDIRS_CILIUM_CONTAINER) operator plugins tools hubble-relay
 
 SUBDIRS_CILIUM_CONTAINER += plugins/cilium-cni

diff --git a/install/kubernetes/cilium/templates/cilium-agent-daemonset.yaml b/install/kubernetes/cilium/templates/cilium-agent-daemonset.yaml
@@ -382,19 +382,24 @@ spec:
         env:
           - name: CGROUP_ROOT
             value: {{ .Values.cgroup.hostRoot }}
+          - name: BIN_PATH
+            value: {{ .Values.cni.binPath }}
         command:
-          - nsenter
-          - --cgroup=/hostproc/1/ns/cgroup
-          - --mount=/hostproc/1/ns/mnt
-          - --
           - sh
           - -c
-          - 'mount | grep "$CGROUP_ROOT type cgroup2" || { echo "Mounting cgroup filesystem..."; mount -t cgroup2 none $CGROUP_ROOT; }'
+          # The statically linked Go program binary is invoked to avoid any
+          # dependency on utilities like sh and mount that can be missing on certain
+          # distros installed on the underlying host. Copy the binary to the
+          # same directory where we install cilium cni plugin so that exec permissions
+          # are available.
+          - 'cp /usr/bin/cilium-mount /hostbin/cilium-mount && nsenter --cgroup=/hostproc/1/ns/cgroup --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-mount" $CGROUP_ROOT; rm /hostbin/cilium-mount'
         image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}{{ if .Values.image.useDigest }}@{{ .Values.image.digest }}{{ end }}"
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         volumeMounts:
           - mountPath: /hostproc
             name: hostproc
+          - mountPath: /hostbin
+            name: cni-path
         securityContext:
           privileged: true
 {{- end }}

diff --git a/tools/Makefile b/tools/Makefile
@@ -1,9 +1,9 @@
-# Copyright 2017-2019 Authors of Cilium
+# Copyright 2017-2021 Authors of Cilium
 # SPDX-License-Identifier: Apache-2.0
 
 include ../Makefile.defs
 
-SUBDIRS := alignchecker maptool
+SUBDIRS := alignchecker maptool mount
 
 .PHONY: all $(SUBDIRS) clean install
 

diff --git a/tools/mount/.gitignore b/tools/mount/.gitignore
@@ -0,0 +1 @@
+cilium-mount
diff --git a/tools/mount/Makefile b/tools/mount/Makefile
@@ -0,0 +1,27 @@
+# Copyright 2021 Authors of Cilium
+# SPDX-License-Identifier: Apache-2.0
+
+include ../../Makefile.defs
+
+TARGET := cilium-mount
+
+.PHONY: all $(TARGET) $(SUBDIRS) clean install
+
+all: $(TARGET)
+
+$(TARGET):
+	@$(ECHO_GO)
+	$(QUIET)$(GO_BUILD) -o $@
+
+clean:
+	@$(ECHO_CLEAN)
+	-$(QUIET)rm -f $(TARGET)
+	$(QUIET)$(GO_CLEAN)
+
+install:
+	$(QUIET)$(INSTALL) -m 0755 -d $(DESTDIR)$(BINDIR)
+	$(QUIET)$(INSTALL) -m 0755 $(TARGET) $(DESTDIR)$(BINDIR)
+
+install-binary: install
+
+install-bash-completion:
diff --git a/tools/mount/main.go b/tools/mount/main.go
@@ -0,0 +1,35 @@
+//  Copyright 2021 Authors of Cilium
+//
+//  Licensed under the Apache License, Version 2.0 (the "License");
+//  you may not use this file except in compliance with the License.
+//  You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+//  Unless required by applicable law or agreed to in writing, software
+//  distributed under the License is distributed on an "AS IS" BASIS,
+//  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//  See the License for the specific language governing permissions and
+//  limitations under the License.
+
+package main
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/cilium/cilium/pkg/cgroups"
+)
+
+func main() {
+	if len(os.Args) != 2 {
+		fmt.Fprintf(os.Stderr, "usage: %s <cgroup-mount-point> \n\n", os.Args[0])
+		os.Exit(1)
+	}
+
+	cgroupMountPoint := os.Args[1]
+	// This program is executed by an init container so we purposely don't
+	// exit with any error codes. In case of errors, the function will log warnings,
+	// but we don't block cilium agent pod from running.
+	cgroups.CheckOrMountCgrpFS(cgroupMountPoint)
+}