diff --git a/images/dind/master/openshift-generate-master-config.sh b/images/dind/master/openshift-generate-master-config.sh index 5343e7b37759..d6cd0d69d6f7 100755 --- a/images/dind/master/openshift-generate-master-config.sh +++ b/images/dind/master/openshift-generate-master-config.sh @@ -32,9 +32,11 @@ function ensure-master-config() { --master="https://${ip_addr}:8443" \ --network-plugin="${OPENSHIFT_NETWORK_PLUGIN}" - # ensure the configuration is readable outside of the container - find "${config_path}" -exec chmod ga+rw {} \; - find "${config_path}" -type d -exec chmod ga+x {} \; + # ensure the configuration can be used outside of the container + chmod ga+rx "${config_path}" + chmod ga+rx "${master_path}" + chmod ga+r "${master_path}"/* + chmod ga+w "${master_path}/admin.kubeconfig" } ensure-master-config diff --git a/images/dind/node/openshift-generate-node-config.sh b/images/dind/node/openshift-generate-node-config.sh index e64e3ac344d3..72d1fc3e8c45 100755 --- a/images/dind/node/openshift-generate-node-config.sh +++ b/images/dind/node/openshift-generate-node-config.sh @@ -8,14 +8,6 @@ source /usr/local/bin/openshift-dind-lib.sh # Should set OPENSHIFT_NETWORK_PLUGIN source /data/network-plugin -function os::dind::lock() { - local config_path=$1 - - exec 200>"${config_path}"/.openshift-generate-node-config.exclusivelock - - flock -n 200 -} - function ensure-node-config() { local deployed_config_path="/var/lib/origin/openshift.local.config/node" local deployed_config_file="${deployed_config_path}/node-config.yaml" @@ -32,28 +24,32 @@ function ensure-node-config() { host="${host}-node" fi local node_config_path="${config_path}/node-${host}" - local config_file="${node_config_path}/node-config.yaml" + local node_config_file="${node_config_path}/node-config.yaml" # If the node config has not been generated - if [[ ! -f "${config_file}" ]]; then + if [[ ! -f "${node_config_file}" ]]; then local master_config_path="${config_path}/master" + local master_config_file="${master_config_path}/admin.kubeconfig" # Wait for the master to generate its config - local condition="test -f ${master_config_path}/admin.kubeconfig" + local condition="test -f ${master_config_file}" os::util::wait-for-condition "admin config" "${condition}" "${OS_WAIT_FOREVER}" local master_host - master_host="$(grep server "${master_config_path}/admin.kubeconfig" | grep -v localhost | awk '{print $2}')" + master_host="$(grep server "${master_config_file}" | grep -v localhost | awk '{print $2}')" local ip_addr ip_addr="$(ip addr | grep inet | grep eth0 | awk '{print $2}' | sed -e 's+/.*++')" - # Wait for the node cert gen lock to be held - local condition="os::dind::lock ${config_path}" - os::util::wait-for-condition "cert gen lock" "${condition}" "${OS_WAIT_FOREVER}" + # Hold a lock on the shared volume to ensure cert generation is + # performed serially. Cert generation is not compatible with + # concurrent execution since the file passed to --signer-serial + # needs to be incremented by each invocation. + exec 200>"${config_path}"/.openshift-generate-node-config.exclusivelock + flock 200 /usr/local/bin/openshift admin create-node-config \ - --node-dir="${config_path}" \ + --node-dir="${node_config_path}" \ --node="${host}" \ --master="${master_host}" \ --hostnames="${host},${ip_addr}" \ @@ -63,11 +59,18 @@ function ensure-node-config() { --signer-cert="${master_config_path}/ca.crt" \ --signer-key="${master_config_path}/ca.key" \ --signer-serial="${master_config_path}/ca.serial.txt" + + # Release the lock + flock -o fi + # ensure the configuration is readable outside of the container + chmod ga+rx "${node_config_path}" + chmod ga+r "${node_config_path}"/* + # Deploy the node config mkdir -p "${deployed_config_path}" - cp -r "${config_path}"/* "${deployed_config_path}" + cp -r "${node_config_path}"/* "${deployed_config_path}/" } ensure-node-config