From 8f36eed295607641ff8755c252485dfe6b82d547 Mon Sep 17 00:00:00 2001 From: Sergiotarxz Date: Thu, 19 Oct 2023 22:31:22 +0200 Subject: [PATCH] Adding instructions to create kubernetes ready vm. --- generate_qemu_img.pl | 40 +-- generate_system.pl | 11 +- install_system.pl | 26 +- lib/BaseUtils.pm | 52 ++++ packages | 28 +- prepare_system.pl | 18 +- root_final/.exists | 0 root_final/etc/containerd/config.toml | 274 ++++++++++++++++++ root_final/etc/sudoers | 99 +++++++ root_final/etc/sysctl.d/kubernetes.conf | 3 + .../system/kubelet.service.d/10-kubeadm.conf | 11 + root_stage/.exists | 0 .../package.accept_keywords/zz-autounmask | 8 + zz-use | 4 + 14 files changed, 538 insertions(+), 36 deletions(-) create mode 100644 root_final/.exists create mode 100644 root_final/etc/containerd/config.toml create mode 100644 root_final/etc/sudoers create mode 100644 root_final/etc/sysctl.d/kubernetes.conf create mode 100644 root_final/etc/systemd/system/kubelet.service.d/10-kubeadm.conf create mode 100644 root_stage/.exists create mode 100644 root_stage/etc/portage/package.accept_keywords/zz-autounmask diff --git a/generate_qemu_img.pl b/generate_qemu_img.pl index c93ce72..88cf43a 100644 --- a/generate_qemu_img.pl +++ b/generate_qemu_img.pl @@ -34,9 +34,7 @@ sub main() { eval { modprobeNbd(); createQemuImage( $dest_img, $size_img ); - say 4; mountQemuNbd($dest_img); - say 5; createPartitionTable(); formatPartitions(); my $root_partuuid = retrieveRootPartuuid(); @@ -48,6 +46,15 @@ sub main() { my $vmlinuz = $utils->getVmlinuz($tempdir_installation); generateExtlinuxConf( $tempdir_installation, $root_partuuid, $vmlinuz ); installRootUser($tempdir_installation); + $utils->execChroot($tempdir_installation, 'useradd', '-m', 'kube'); + $utils->execChroot($tempdir_installation, 'gpasswd', '-a', 'kube', 'docker'); + $utils->execChroot($tempdir_installation, 'gpasswd', '-a', 'kube', 'wheel'); + my $wait_sub = BaseUtils::openWriteCommandChroot($utils, my $fh, $tempdir_installation, 'chpasswd'); + say $fh 'kube:kube'; + close $fh; + if ($wait_sub->() != 0) { + die 'Unable to chpasswd'; + } }; if ($@) { say STDERR $@; @@ -60,7 +67,6 @@ sub installRootUser($tempdir_installation) { my $passwd_contents = ''; open my $fh, '<', $passwd; while (my $line = <$fh>) { - say $line; if ($line =~ /^root:/) { my @fields = split ':', $line; $fields[1] = 'x'; @@ -101,22 +107,22 @@ sub umountTempDir ($tempdir_installation) { } sub mountTempDir ($tempdir_installation) { - my $return_code = system 'mount', '/dev/nbd5p2', $tempdir_installation; + my $return_code = system 'mount', '/dev/nbd1p2', $tempdir_installation; if ( $return_code != 0 ) { - die 'Unable to mount nbd5p2'; + die 'Unable to mount nbd1p2'; } my $boot = $tempdir_installation->child('boot'); $boot->mkpath; - $return_code = system 'mount', '/dev/nbd5p1', $boot; + $return_code = system 'mount', '/dev/nbd1p1', $boot; if ( $return_code != 0 ) { - die 'Unable to mount nbd5p1'; + die 'Unable to mount nbd1p1'; } } sub retrieveRootUuid { open my $fh, '-|', 'blkid'; while ( my $line = <$fh> ) { - if ( $line !~ m{/dev/nbd5p2} ) { + if ( $line !~ m{/dev/nbd1p2} ) { next; } my ($return) = $line =~ /(UUID=\S+)/; @@ -128,7 +134,7 @@ sub retrieveRootUuid { sub retrieveRootPartuuid { open my $fh, '-|', 'blkid'; while ( my $line = <$fh> ) { - if ( $line !~ m{/dev/nbd5p2} ) { + if ( $line !~ m{/dev/nbd1p2} ) { next; } my ($return) = $line =~ /(PARTUUID=\S+)/; @@ -140,7 +146,7 @@ sub retrieveRootPartuuid { sub retrieveBootPartuuid { open my $fh, '-|', 'blkid'; while ( my $line = <$fh> ) { - if ( $line !~ m{/dev/nbd5p1} ) { + if ( $line !~ m{/dev/nbd1p1} ) { next; } my ($return) = $line =~ /(PARTUUID=\S+)/; @@ -155,17 +161,16 @@ $boot\t/boot\tvfat\tnoauto,noatime\t1 2 $root\t/\text4\tnoatime\t0 1 EOF my $fstab = $tempdir_installation->child('etc/fstab'); - say $fstab; $fstab->spew_utf8($fstab_contents); } sub formatPartitions { - system 'mkfs.vfat', '/dev/nbd5p1'; - system 'mkfs.ext4', '/dev/nbd5p2'; + system 'mkfs.vfat', '/dev/nbd1p1'; + system 'mkfs.ext4', '/dev/nbd1p2'; } sub createPartitionTable { - open my $fh, "|-", 'fdisk', '/dev/nbd5'; + open my $fh, "|-", 'fdisk', '/dev/nbd1'; print $fh <<'EOF'; g n @@ -192,12 +197,13 @@ sub createQemuImage ( $dest_img, $size_img ) { } sub modprobeNbd { - system 'rmmod', '-f', 'nbd'; + system 'rmmod', 'nbd'; system 'modprobe', 'nbd'; + sleep 5; } sub mountQemuNbd ($dest_img) { - my $return_code = system 'qemu-nbd', '--connect=/dev/nbd5', $dest_img; + my $return_code = system 'qemu-nbd', '--connect=/dev/nbd1', $dest_img; if ( $return_code != 0 ) { die 'Unable to mount qemu-nbd.'; } @@ -205,5 +211,5 @@ sub mountQemuNbd ($dest_img) { sub umountQemuNbd { system 'umount', '-R', '/mnt/image'; - system 'qemu-nbd', '--disconnect', '/dev/nbd5'; + system 'qemu-nbd', '--disconnect', '/dev/nbd1'; } diff --git a/generate_system.pl b/generate_system.pl index ee84325..5f31ae9 100644 --- a/generate_system.pl +++ b/generate_system.pl @@ -5,7 +5,6 @@ use v5.36.0; use strict; use warnings; use utf8; -use GnuPG; use Path::Tiny; use Mojo::UserAgent; @@ -54,7 +53,15 @@ sub _downloadGentooStage($stage, $stage_asc) { for my $h4 ($dom->find('h4')->each) { next if $h4->text !~ /Stage/; my @next_list_groups = $h4->following('div.list-group')->each; - my $url = $next_list_groups[0]->at('a')->attr('href'); + my $url; + for my $a ($next_list_groups[0]->find('a')->each) { + my $inner_url = $a->attr('href'); + if ($inner_url =~ /systemd/) { + $url = $inner_url; + last; + } + } + die 'Unable to find gentoo stage' if (!defined $url); $stage->spew_raw($ua->get($url)->result->body); $stage_asc->spew_raw($ua->get($url . '.asc')->result->body); last; diff --git a/install_system.pl b/install_system.pl index f7ed8d8..39a8b30 100644 --- a/install_system.pl +++ b/install_system.pl @@ -22,37 +22,39 @@ sub main() { $target_dir = path($target_dir); $destination_dir = path($destination_dir); $utils->createBasicMountsChroot($target_dir); - populateDirectory($destination_dir); my $mnt_gentoo = $target_dir->child('mnt/gentoo'); - $utils->createBasicMountsChroot($mnt_gentoo); + populateDirectory($destination_dir); populateDirectory($mnt_gentoo); $utils->mountRbind($destination_dir, $mnt_gentoo); + $utils->createBasicMountsChroot($mnt_gentoo); my $packages = $utils->readPackagesToInstall(); $utils->execChroot($target_dir, 'emerge', '--root', '/mnt/gentoo', '--noreplace', '-K', @$packages); - $utils->execChroot($mnt_gentoo, 'rc-update add nginx default'); - $utils->execChroot($mnt_gentoo, 'rc-update add local default'); - my @boot_services = qw( hwclock modules fsck root mtab swap localmount systemd-tmpfiles-setup - termencoding seedrng sysctl bootmisc save-termencoding keymaps save-keymaps procfs binfmt - loopback hostname ); - my @sysinit_services = qw( sysfs devfs udev kmod systemd-tmpfiles-setup-dev dmesg udev cgroups ); + $utils->execChroot($mnt_gentoo, 'systemctl', 'enable', 'nginx'); + $utils->execChroot($mnt_gentoo, 'systemctl', 'enable', 'docker'); + $utils->execChroot($mnt_gentoo, 'systemctl', 'enable', 'sshd'); + $utils->execChroot($mnt_gentoo, 'systemctl', 'enable', 'systemd-resolved'); + my @boot_services = qw( systemd-tmpfiles-setup sysctl ); + my @sysinit_services; for my $service (@boot_services) { - $utils->execChroot($mnt_gentoo, 'rc-update', 'add', $service, 'boot'); + $utils->execChroot($mnt_gentoo, 'systemctl', 'enable', $service); } for my $service (@sysinit_services) { - $utils->execChroot($mnt_gentoo, 'rc-update', 'add', $service, 'sysinit'); + $utils->execChroot($mnt_gentoo, 'systemctl', 'enable', $service); } $utils->install('nginx.conf', $mnt_gentoo->child('etc/nginx/nginx.conf')); _installEfiSyslinux($target_dir, $mnt_gentoo); _installKernel($target_dir, $mnt_gentoo); + $utils->_installRootFiles( $mnt_gentoo->child('etc/portage'), $target_dir->child('etc/portage')); + $utils->_installRootFiles( $mnt_gentoo, path('root_final') ); _configureNetwork($mnt_gentoo); } + sub _configureNetwork($mnt_gentoo) { # $mnt_gentoo->child('etc/conf.d/net')->spew_utf8(<<'EOF'); #config_eth0="192.168.1.1/24" #EOF - system 'ln', '-sv', '/etc/init.d/net.lo', $mnt_gentoo->child('etc/init.d/net.eth0'); - $utils->execChroot($mnt_gentoo, 'rc-update', 'add', 'net.eth0', 'default'); + $utils->execChroot($mnt_gentoo, 'systemctl', 'enable', 'dhcpcd'); } sub _installKernel($target_dir, $mnt_gentoo) { diff --git a/lib/BaseUtils.pm b/lib/BaseUtils.pm index 13761f8..55284bc 100644 --- a/lib/BaseUtils.pm +++ b/lib/BaseUtils.pm @@ -62,6 +62,34 @@ sub chroot($self, $target) { chdir '/'; } +{ + no feature 'signatures'; + sub openWriteCommandChroot($\$$@) { + my $self = shift; + my $fh = shift; + pipe my ($read), $$fh; + my $parent_subroutine = $self->forkWait(); + if (defined $parent_subroutine) { + close $read; + return $parent_subroutine; + } + close $$fh; + my $target = shift; + $self->chroot($target); + my @command = @_; + open my $inner_fh, '|-', @command; + while (my $line = <$read>) { + chomp $line; + if (!length $line > 0) { + next; + } + say $inner_fh $line; + } + close $inner_fh; + my $return_code = $?; + exit $?; + } +} sub execChroot($self, $target, @command) { my $parent_subroutine = $self->forkWait(); if (defined $parent_subroutine) { @@ -135,8 +163,13 @@ sub createBasicMountsChroot ($self, $target) { $dest_run->mkpath; $self->mountType( 'proc', $dest_proc ); + system 'mount', '--make-slave', $dest_proc; $self->mountType( 'sysfs', $dest_sys ); + system 'mount', '--make-slave', $dest_sys; $self->mountRbind( '/dev', $dest_dev ); + system 'mount', '--make-slave', $dest_dev; + $self->mountRbind( '/run', $dest_run ); + system 'mount', '--make-slave', $dest_run; } { my $mounts; @@ -150,4 +183,23 @@ sub createBasicMountsChroot ($self, $target) { return $mounts; } } + +sub _installRootFiles ( $self, $target, $files_dir ) { + my $stage_root_source = path($files_dir); + $stage_root_source->visit( + sub { + my ( $path, $state ) = @_; + if ( !-f $path ) { + return; + } + my $target_path = $target->child( $path =~ s{^$files_dir/*}{}r ); + $target_path->parent->mkpath; + my $basename = $path->basename; + return if $basename eq '.exists'; + say "Installing $path."; + $self->install( $path, $target_path ); + }, + { recurse => 1 } + ); +} 1; diff --git a/packages b/packages index d8da5c5..2cbf81a 100644 --- a/packages +++ b/packages @@ -2,7 +2,7 @@ nginx bash coreutils perl -openrc +systemd gentoo-kernel grep kbd @@ -25,3 +25,29 @@ acct-user/sshd acct-user/tss acct-user/root acct-group/root +@system +app-emulation/qemu +app-emulation/libvirt +sys-cluster/kubectl +app-containers/kompose +app-containers/docker +net-firewall/conntrack-tools +docker-cli +cri-tools +acct-group/wheel +sys-cluster/cilium-cli +sys-cluster/kubelet +app-editors/vim +app-misc/screen +sudo +kubeadm +sys-cluster/kube-apiserver +dev-db/etcd +app-containers/cni-plugins +syslog-ng +kubeletctl +ethtool +socat +dhcpcd +cri-o +app-containers/podman diff --git a/prepare_system.pl b/prepare_system.pl index 9fc1b98..74565fb 100644 --- a/prepare_system.pl +++ b/prepare_system.pl @@ -27,10 +27,11 @@ sub main { my $resolv_conf = path('/etc/resolv.conf'); my $zz_use = path('zz-use'); - my $packages = $utils->readPackagesToInstall(); + my $packages = $utils->readPackagesToInstall(); my $build_packages = $utils->readBuildPackagesToInstall(); _checkValidSystem($target_dir); + $utils->_installRootFiles( $target_dir, path('root_stage') ); _installMakeConf( $target_dir, $make_conf ); _installGentooConf( $target_dir, $gentoo_conf ); _installResolvConf( $target_dir, $resolv_conf ); @@ -41,7 +42,8 @@ sub main { _removePerlCleanerDep($target_dir); _updateSystem($target_dir); _depclean($target_dir); - _installNeededPackages( $target_dir, $packages, $build_packages, $rebuild_bin ); + _installNeededPackages( $target_dir, $packages, $build_packages, + $rebuild_bin ); } sub _removePerlCleanerDep ($target) { @@ -64,6 +66,10 @@ sub _depclean ($target) { } sub _updateSystem ($target) { + $utils->execChroot($target, 'cp', '/var/db/repos/gentoo/app-containers/cri-tools/cri-tools-1.27.0.ebuild', '/var/db/repos/gentoo/app-containers/cri-tools/cri-tools-1.28.0.ebuild'); + $utils->execChroot($target, 'ebuild', '/var/db/repos/gentoo/app-containers/cri-tools/cri-tools-1.28.0.ebuild', 'manifest'); + $utils->execChroot($target, 'cp', '/var/db/repos/gentoo/sys-cluster/cilium-cli/cilium-cli-0.13.0.ebuild', '/var/db/repos/gentoo/sys-cluster/cilium-cli/cilium-cli-0.15.11.ebuild',); + $utils->execChroot($target, 'ebuild', '/var/db/repos/gentoo/sys-cluster/cilium-cli/cilium-cli-0.15.11.ebuild', 'manifest'); my $return_code = $utils->execChroot( $target, 'emerge', '-uUDN', '@world' ); if ( $return_code != 0 ) { @@ -82,14 +88,18 @@ sub _rebuildBinaries ($target) { } } -sub _installNeededPackages ( $target, $packages, $build_packages, $rebuild_bin ) { +sub _installNeededPackages ( $target, $packages, $build_packages, $rebuild_bin ) +{ my $return_code = - $utils->execChroot( $target, 'emerge', ( $rebuild_bin ? ('-e') : ('--noreplace', ) ), @$packages, @$build_packages ); + $utils->execChroot( $target, 'emerge', + ( $rebuild_bin ? ('-e') : ( '--noreplace', ) ), + @$packages, @$build_packages ); if ( $return_code != 0 ) { die 'Unable to install needed packages.'; } } + sub _webrsync ($target) { my $return_code = $utils->execChroot( $target, 'emerge-webrsync' ); if ( $return_code != 0 ) { diff --git a/root_final/.exists b/root_final/.exists new file mode 100644 index 0000000..e69de29 diff --git a/root_final/etc/containerd/config.toml b/root_final/etc/containerd/config.toml new file mode 100644 index 0000000..3000f60 --- /dev/null +++ b/root_final/etc/containerd/config.toml @@ -0,0 +1,274 @@ +disabled_plugins = [] +imports = [] +oom_score = 0 +plugin_dir = "" +required_plugins = [] +root = "/var/lib/containerd" +state = "/run/containerd" +temp = "" +version = 2 + +[cgroup] + path = "" + +[debug] + address = "" + format = "" + gid = 0 + level = "" + uid = 0 + +[grpc] + address = "/run/containerd/containerd.sock" + gid = 0 + max_recv_message_size = 16777216 + max_send_message_size = 16777216 + tcp_address = "" + tcp_tls_ca = "" + tcp_tls_cert = "" + tcp_tls_key = "" + uid = 0 + +[metrics] + address = "" + grpc_histogram = false + +[plugins] + + [plugins."io.containerd.gc.v1.scheduler"] + deletion_threshold = 0 + mutation_threshold = 100 + pause_threshold = 0.02 + schedule_delay = "0s" + startup_delay = "100ms" + + [plugins."io.containerd.grpc.v1.cri"] + cdi_spec_dirs = ["/etc/cdi", "/var/run/cdi"] + device_ownership_from_security_context = false + disable_apparmor = false + disable_cgroup = false + disable_hugetlb_controller = true + disable_proc_mount = false + disable_tcp_service = true + drain_exec_sync_io_timeout = "0s" + enable_cdi = false + enable_selinux = false + enable_tls_streaming = false + enable_unprivileged_icmp = false + enable_unprivileged_ports = false + ignore_image_defined_volumes = false + image_pull_progress_timeout = "1m0s" + max_concurrent_downloads = 3 + max_container_log_line_size = 16384 + netns_mounts_under_state_dir = false + restrict_oom_score_adj = false + sandbox_image = "registry.k8s.io/pause:3.8" + selinux_category_range = 1024 + stats_collect_period = 10 + stream_idle_timeout = "4h0m0s" + stream_server_address = "127.0.0.1" + stream_server_port = "0" + systemd_cgroup = false + tolerate_missing_hugetlb_controller = true + unset_seccomp_profile = "" + + [plugins."io.containerd.grpc.v1.cri".cni] + bin_dir = "/opt/cni/bin" + conf_dir = "/etc/cni/net.d" + conf_template = "" + ip_pref = "" + max_conf_num = 1 + setup_serially = false + + [plugins."io.containerd.grpc.v1.cri".containerd] + default_runtime_name = "runc" + disable_snapshot_annotations = true + discard_unpacked_layers = false + ignore_blockio_not_enabled_errors = false + ignore_rdt_not_enabled_errors = false + no_pivot = false + snapshotter = "overlayfs" + + [plugins."io.containerd.grpc.v1.cri".containerd.default_runtime] + base_runtime_spec = "" + cni_conf_dir = "" + cni_max_conf_num = 0 + container_annotations = [] + pod_annotations = [] + privileged_without_host_devices = false + privileged_without_host_devices_all_devices_allowed = false + runtime_engine = "" + runtime_path = "" + runtime_root = "" + runtime_type = "" + sandbox_mode = "" + snapshotter = "" + + [plugins."io.containerd.grpc.v1.cri".containerd.default_runtime.options] + + [plugins."io.containerd.grpc.v1.cri".containerd.runtimes] + + [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] + base_runtime_spec = "" + cni_conf_dir = "" + cni_max_conf_num = 0 + container_annotations = [] + pod_annotations = [] + privileged_without_host_devices = false + privileged_without_host_devices_all_devices_allowed = false + runtime_engine = "" + runtime_path = "" + runtime_root = "" + runtime_type = "io.containerd.runc.v2" + sandbox_mode = "podsandbox" + snapshotter = "" + + [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options] + BinaryName = "" + CriuImagePath = "" + CriuPath = "" + CriuWorkPath = "" + IoGid = 0 + IoUid = 0 + NoNewKeyring = false + NoPivotRoot = false + Root = "" + ShimCgroup = "" + SystemdCgroup = false + + [plugins."io.containerd.grpc.v1.cri".containerd.untrusted_workload_runtime] + base_runtime_spec = "" + cni_conf_dir = "" + cni_max_conf_num = 0 + container_annotations = [] + pod_annotations = [] + privileged_without_host_devices = false + privileged_without_host_devices_all_devices_allowed = false + runtime_engine = "" + runtime_path = "" + runtime_root = "" + runtime_type = "" + sandbox_mode = "" + snapshotter = "" + + [plugins."io.containerd.grpc.v1.cri".containerd.untrusted_workload_runtime.options] + + [plugins."io.containerd.grpc.v1.cri".image_decryption] + key_model = "node" + + [plugins."io.containerd.grpc.v1.cri".registry] + config_path = "" + + [plugins."io.containerd.grpc.v1.cri".registry.auths] + + [plugins."io.containerd.grpc.v1.cri".registry.configs] + + [plugins."io.containerd.grpc.v1.cri".registry.headers] + + [plugins."io.containerd.grpc.v1.cri".registry.mirrors] + + [plugins."io.containerd.grpc.v1.cri".x509_key_pair_streaming] + tls_cert_file = "" + tls_key_file = "" + + [plugins."io.containerd.internal.v1.opt"] + path = "/opt/containerd" + + [plugins."io.containerd.internal.v1.restart"] + interval = "10s" + + [plugins."io.containerd.internal.v1.tracing"] + sampling_ratio = 1.0 + service_name = "containerd" + + [plugins."io.containerd.metadata.v1.bolt"] + content_sharing_policy = "shared" + + [plugins."io.containerd.monitor.v1.cgroups"] + no_prometheus = false + + [plugins."io.containerd.nri.v1.nri"] + disable = true + disable_connections = false + plugin_config_path = "/etc/nri/conf.d" + plugin_path = "/opt/nri/plugins" + plugin_registration_timeout = "5s" + plugin_request_timeout = "2s" + socket_path = "/var/run/nri/nri.sock" + + [plugins."io.containerd.runtime.v1.linux"] + no_shim = false + runtime = "runc" + runtime_root = "" + shim = "containerd-shim" + shim_debug = false + + [plugins."io.containerd.runtime.v2.task"] + platforms = ["linux/amd64"] + sched_core = false + + [plugins."io.containerd.service.v1.diff-service"] + default = ["walking"] + + [plugins."io.containerd.service.v1.tasks-service"] + blockio_config_file = "" + rdt_config_file = "" + + [plugins."io.containerd.snapshotter.v1.aufs"] + root_path = "" + + [plugins."io.containerd.snapshotter.v1.native"] + root_path = "" + + [plugins."io.containerd.snapshotter.v1.overlayfs"] + root_path = "" + upperdir_label = false + + [plugins."io.containerd.snapshotter.v1.zfs"] + root_path = "" + + [plugins."io.containerd.tracing.processor.v1.otlp"] + endpoint = "" + insecure = false + protocol = "" + + [plugins."io.containerd.transfer.v1.local"] + config_path = "" + max_concurrent_downloads = 3 + max_concurrent_uploaded_layers = 3 + + [[plugins."io.containerd.transfer.v1.local".unpack_config]] + differ = "" + platform = "linux/amd64" + snapshotter = "overlayfs" + +[proxy_plugins] + +[stream_processors] + + [stream_processors."io.containerd.ocicrypt.decoder.v1.tar"] + accepts = ["application/vnd.oci.image.layer.v1.tar+encrypted"] + args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"] + env = ["OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf"] + path = "ctd-decoder" + returns = "application/vnd.oci.image.layer.v1.tar" + + [stream_processors."io.containerd.ocicrypt.decoder.v1.tar.gzip"] + accepts = ["application/vnd.oci.image.layer.v1.tar+gzip+encrypted"] + args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"] + env = ["OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf"] + path = "ctd-decoder" + returns = "application/vnd.oci.image.layer.v1.tar+gzip" + +[timeouts] + "io.containerd.timeout.bolt.open" = "0s" + "io.containerd.timeout.metrics.shimstats" = "2s" + "io.containerd.timeout.shim.cleanup" = "5s" + "io.containerd.timeout.shim.load" = "5s" + "io.containerd.timeout.shim.shutdown" = "3s" + "io.containerd.timeout.task.state" = "2s" + +[ttrpc] + address = "" + gid = 0 + uid = 0 diff --git a/root_final/etc/sudoers b/root_final/etc/sudoers new file mode 100644 index 0000000..bc0d6a0 --- /dev/null +++ b/root_final/etc/sudoers @@ -0,0 +1,99 @@ +## sudoers file. +## +## This file MUST be edited with the 'visudo' command as root. +## Failure to use 'visudo' may result in syntax or file permission errors +## that prevent sudo from running. +## +## See the sudoers man page for the details on how to write a sudoers file. +## + +## +## Host alias specification +## +## Groups of machines. These may include host names (optionally with wildcards), +## IP addresses, network numbers or netgroups. +# Host_Alias WEBSERVERS = www1, www2, www3 + +## +## User alias specification +## +## Groups of users. These may consist of user names, uids, Unix groups, +## or netgroups. +# User_Alias ADMINS = millert, dowdy, mikef + +## +## Cmnd alias specification +## +## Groups of commands. Often used to group related commands together. +# Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ +# /usr/bin/pkill, /usr/bin/top +# Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff + +## +## Defaults specification +## +## You may wish to keep some of the following environment variables +## when running commands via sudo. +## +## Locale settings +# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" +## +## Run X applications through sudo; HOME is used to find the +## .Xauthority file. Note that other programs use HOME to find +## configuration files and this may lead to privilege escalation! +# Defaults env_keep += "HOME" +## +## X11 resource path settings +# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" +## +## Desktop path settings +# Defaults env_keep += "QTDIR KDEDIR" +## +## Allow sudo-run commands to inherit the callers' ConsoleKit session +# Defaults env_keep += "XDG_SESSION_COOKIE" +## +## Uncomment to enable special input methods. Care should be taken as +## this may allow users to subvert the command being run via sudo. +# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" +## +## Uncomment to use a hard-coded PATH instead of the user's to find commands +# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +## +## Uncomment to send mail if the user does not enter the correct password. +# Defaults mail_badpass +## +## Uncomment to enable logging of a command's output, except for +## sudoreplay and reboot. Use sudoreplay to play back logged sessions. +## Sudo will create up to 2,176,782,336 I/O logs before recycling them. +## Set maxseq to a smaller number if you don't have unlimited disk space. +# Defaults log_output +# Defaults!/usr/bin/sudoreplay !log_output +# Defaults!/usr/local/bin/sudoreplay !log_output +# Defaults!REBOOT !log_output +# Defaults maxseq = 1000 + +## +## Runas alias specification +## + +## +## User privilege specification +## +root ALL=(ALL:ALL) ALL + +## Uncomment to allow members of group wheel to execute any command +# %wheel ALL=(ALL:ALL) ALL + +## Same thing without a password +%wheel ALL=(ALL:ALL) NOPASSWD: ALL + +## Uncomment to allow members of group sudo to execute any command +# %sudo ALL=(ALL:ALL) ALL + +## Uncomment to allow any user to run sudo if they know the password +## of the user they are running the command as (root by default). +# Defaults targetpw # Ask for the password of the target user +# ALL ALL=(ALL:ALL) ALL # WARNING: only use this together with 'Defaults targetpw' + +## Read drop-in files from /etc/sudoers.d +@includedir /etc/sudoers.d diff --git a/root_final/etc/sysctl.d/kubernetes.conf b/root_final/etc/sysctl.d/kubernetes.conf new file mode 100644 index 0000000..d46bab8 --- /dev/null +++ b/root_final/etc/sysctl.d/kubernetes.conf @@ -0,0 +1,3 @@ +net.bridge.bridge-nf-call-ip6tables = 1 +net.bridge.bridge-nf-call-iptables = 1 +net.ipv4.ip_forward = 1 diff --git a/root_final/etc/systemd/system/kubelet.service.d/10-kubeadm.conf b/root_final/etc/systemd/system/kubelet.service.d/10-kubeadm.conf new file mode 100644 index 0000000..1aa037a --- /dev/null +++ b/root_final/etc/systemd/system/kubelet.service.d/10-kubeadm.conf @@ -0,0 +1,11 @@ +# Note: This dropin only works with kubeadm and kubelet v1.11+ +[Service] +Environment="KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf" +Environment="KUBELET_CONFIG_ARGS=--config=/var/lib/kubelet/config.yaml" +# This is a file that "kubeadm init" and "kubeadm join" generates at runtime, populating the KUBELET_KUBEADM_ARGS variable dynamically +EnvironmentFile=-/var/lib/kubelet/kubeadm-flags.env +# This is a file that the user can use for overrides of the kubelet args as a last resort. Preferably, the user should use +# the .NodeRegistration.KubeletExtraArgs object in the configuration files instead. KUBELET_EXTRA_ARGS should be sourced from this file. +EnvironmentFile=-/etc/default/kubelet +ExecStart= +ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_KUBEADM_ARGS $KUBELET_EXTRA_ARGS diff --git a/root_stage/.exists b/root_stage/.exists new file mode 100644 index 0000000..e69de29 diff --git a/root_stage/etc/portage/package.accept_keywords/zz-autounmask b/root_stage/etc/portage/package.accept_keywords/zz-autounmask new file mode 100644 index 0000000..371e9de --- /dev/null +++ b/root_stage/etc/portage/package.accept_keywords/zz-autounmask @@ -0,0 +1,8 @@ +sys-cluster/minikube ~amd64 +app-containers/kompose ~amd64 +sys-cluster/cilium-cli ~amd64 +sys-cluster/kubeletctl ~amd64 +app-containers/cri-tools ~amd64 +app-containers/cri-o ~amd64 +app-containers/containerd ~amd64 +app-containers/runc ~amd64 diff --git a/zz-use b/zz-use index c72463e..eab2616 100644 --- a/zz-use +++ b/zz-use @@ -1,3 +1,7 @@ app-misc/mime-types nginx sys-kernel/gentoo-kernel -initramfs sys-apps/util-linux -su +net-libs/gnutls tools pkcs11 +net-dns/dnsmasq script +sys-apps/systemd pam +