From 53b9388b823fcdb575f25f0f3b9b5b44f72bed91 Mon Sep 17 00:00:00 2001 From: Etienne Champetier Date: Wed, 3 Mar 2021 10:27:20 -0500 Subject: [PATCH] Add kube-ipvs0/nodelocaldns to NetworkManager unmanaged-devices (#7315) On CentOS 8 they seem to be ignored by default, but better be extra safe This also make it easy to exclude other network plugin interfaces Signed-off-by: Etienne Champetier (cherry picked from commit e442b1d2b9ce7734093a724c3d35462f1b3cbcb8) --- roles/kubernetes/preinstall/handlers/main.yml | 1 - .../0062-networkmanager-unmanaged-devices.yml | 36 +++++++++++++++++++ ...anager.yml => 0063-networkmanager-dns.yml} | 0 roles/kubernetes/preinstall/tasks/main.yml | 6 +++- roles/network_plugin/calico/handlers/main.yml | 6 ---- roles/network_plugin/calico/tasks/install.yml | 23 ------------ roles/reset/tasks/main.yml | 2 ++ 7 files changed, 43 insertions(+), 31 deletions(-) create mode 100644 roles/kubernetes/preinstall/tasks/0062-networkmanager-unmanaged-devices.yml rename roles/kubernetes/preinstall/tasks/{0062-networkmanager.yml => 0063-networkmanager-dns.yml} (100%) diff --git a/roles/kubernetes/preinstall/handlers/main.yml b/roles/kubernetes/preinstall/handlers/main.yml index bdaaff3e3..ec78c50b6 100644 --- a/roles/kubernetes/preinstall/handlers/main.yml +++ b/roles/kubernetes/preinstall/handlers/main.yml @@ -33,7 +33,6 @@ service: name: NetworkManager.service state: restarted - when: is_fedora_coreos - name: Preinstall | reload kubelet service: diff --git a/roles/kubernetes/preinstall/tasks/0062-networkmanager-unmanaged-devices.yml b/roles/kubernetes/preinstall/tasks/0062-networkmanager-unmanaged-devices.yml new file mode 100644 index 000000000..b8b673bd2 --- /dev/null +++ b/roles/kubernetes/preinstall/tasks/0062-networkmanager-unmanaged-devices.yml @@ -0,0 +1,36 @@ +--- +- name: NetworkManager | Check if host has NetworkManager + # noqa 303 Should we use service_facts for this? + command: systemctl is-active --quiet NetworkManager.service + register: nm_check + failed_when: false + changed_when: false + +- name: NetworkManager | Ensure NetworkManager conf.d dir + file: + path: "/etc/NetworkManager/conf.d" + state: directory + recurse: yes + when: nm_check.rc == 0 + +- name: NetworkManager | Prevent NetworkManager from managing Calico interfaces (cali*/tunl*/vxlan.calico) + copy: + content: | + [keyfile] + unmanaged-devices+=interface-name:cali*;interface-name:tunl*;interface-name:vxlan.calico + dest: /etc/NetworkManager/conf.d/calico.conf + when: + - nm_check.rc == 0 + - kube_network_plugin == "calico" + notify: Preinstall | reload NetworkManager + +# TODO: add other network_plugin interfaces + +- name: NetworkManager | Prevent NetworkManager from managing K8S interfaces (kube-ipvs0/nodelocaldns) + copy: + content: | + [keyfile] + unmanaged-devices+=interface-name:kube-ipvs0;interface-name:nodelocaldns + dest: /etc/NetworkManager/conf.d/k8s.conf + when: nm_check.rc == 0 + notify: Preinstall | reload NetworkManager diff --git a/roles/kubernetes/preinstall/tasks/0062-networkmanager.yml b/roles/kubernetes/preinstall/tasks/0063-networkmanager-dns.yml similarity index 100% rename from roles/kubernetes/preinstall/tasks/0062-networkmanager.yml rename to roles/kubernetes/preinstall/tasks/0063-networkmanager-dns.yml diff --git a/roles/kubernetes/preinstall/tasks/main.yml b/roles/kubernetes/preinstall/tasks/main.yml index b5c571342..2a3418b0e 100644 --- a/roles/kubernetes/preinstall/tasks/main.yml +++ b/roles/kubernetes/preinstall/tasks/main.yml @@ -39,7 +39,11 @@ - bootstrap-os - resolvconf -- import_tasks: 0062-networkmanager.yml +- import_tasks: 0062-networkmanager-unmanaged-devices.yml + tags: + - bootstrap-os + +- import_tasks: 0063-networkmanager-dns.yml when: - dns_mode != 'none' - resolvconf_mode == 'host_resolvconf' diff --git a/roles/network_plugin/calico/handlers/main.yml b/roles/network_plugin/calico/handlers/main.yml index 696729a24..bae575047 100644 --- a/roles/network_plugin/calico/handlers/main.yml +++ b/roles/network_plugin/calico/handlers/main.yml @@ -25,9 +25,3 @@ until: crictl_calico_node_remove is succeeded retries: 5 when: container_manager in ["crio", "containerd"] - -- name: Calico | Reload NetworkManager - service: - name: NetworkManager - state: reloaded - when: '"running" in nm_check.stdout' diff --git a/roles/network_plugin/calico/tasks/install.yml b/roles/network_plugin/calico/tasks/install.yml index f5a9afc33..a6fd2d93e 100644 --- a/roles/network_plugin/calico/tasks/install.yml +++ b/roles/network_plugin/calico/tasks/install.yml @@ -6,29 +6,6 @@ mode: 0755 remote_src: yes -- name: Calico | Check if host has NetworkManager - # noqa 303 Should we use service_facts for this? - command: systemctl is-active --quiet NetworkManager.service - register: nm_check - failed_when: false - changed_when: false - -- name: Calico | Ensure NetworkManager conf.d dir - file: - path: "/etc/NetworkManager/conf.d" - state: directory - recurse: yes - when: nm_check.rc == 0 - -- name: Calico | Prevent NetworkManager from managing Calico interfaces - copy: - content: | - [keyfile] - unmanaged-devices=interface-name:cali*;interface-name:tunl*;interface-name:vxlan.calico - dest: /etc/NetworkManager/conf.d/calico.conf - when: nm_check.rc == 0 - notify: Calico | Reload NetworkManager - - name: Calico | Write Calico cni config template: src: "cni-calico.conflist.j2" diff --git a/roles/reset/tasks/main.yml b/roles/reset/tasks/main.yml index c0749191b..1a78788f7 100644 --- a/roles/reset/tasks/main.yml +++ b/roles/reset/tasks/main.yml @@ -257,6 +257,8 @@ - /etc/dnsmasq.d-available - /etc/etcd.env - /etc/calico + - /etc/NetworkManager/conf.d/calico.conf + - /etc/NetworkManager/conf.d/k8s.conf - /etc/weave.env - /opt/cni - /etc/dhcp/dhclient.d/zdnsupdate.sh