As an improvement on running calico-node as a docker daemon (with the associated chicken-egg problem with calico-libnetwork), we've been looking at running it as a simple docker-runc
service instead. This has the benefit of being easier to stream into a disk image on first provisioning, and running more natually as an init job rather then a docker job.
As a first pass, this is a configuration (derived from the docker one) which works for me (with a read-only calico-node blob):
{
"hooks": {},
"hostname": "runc",
"linux": {
"maskedPaths": [
"/proc/kcore",
"/proc/latency_stats",
"/proc/timer_stats",
"/proc/sched_debug"
],
"namespaces": [
{
"type": "pid"
},
{
"type": "ipc"
},
{
"type": "uts"
},
{
"type": "mount"
}
],
"readonlyPaths": [
"/proc/asound",
"/proc/bus",
"/proc/fs",
"/proc/irq",
"/proc/sys/abi",
"/proc/sys/debug",
"/proc/sys/dev",
"/proc/sys/fs",
"/proc/sys/kernel",
"/proc/sys/vm",
"/proc/sysrq-trigger"
],
"resources": {
"devices": [
{
"access": "rwm",
"allow": true
}
]
}
},
"mounts": [
{
"destination": "/proc",
"options": [
"nosuid",
"noexec",
"nodev"
],
"source": "proc",
"type": "proc"
},
{
"destination": "/dev",
"options": [
"nosuid",
"strictatime",
"mode=755",
"size=65536k"
],
"source": "tmpfs",
"type": "tmpfs"
},
{
"destination": "/dev/pts",
"options": [
"nosuid",
"noexec",
"newinstance",
"ptmxmode=0666",
"mode=0620",
"gid=5"
],
"source": "devpts",
"type": "devpts"
},
{
"destination": "/dev/shm",
"options": [
"nosuid",
"noexec",
"nodev",
"mode=1777",
"size=65536k"
],
"source": "shm",
"type": "tmpfs"
},
{
"destination": "/dev/mqueue",
"options": [
"nosuid",
"noexec",
"nodev"
],
"source": "mqueue",
"type": "mqueue"
},
{
"destination": "/sys",
"options": [
"nosuid",
"noexec",
"nodev",
"ro"
],
"source": "sysfs",
"type": "sysfs"
},
{
"destination": "/sys/fs/cgroup",
"options": [
"nosuid",
"noexec",
"nodev",
"relatime",
"ro"
],
"source": "cgroup",
"type": "cgroup"
},
{
"destination": "/lib/modules",
"options": [
"rbind",
"rprivate"
],
"source": "/lib/modules",
"type": "bind"
},
{
"destination": "/var/log/calico",
"options": [
"rbind",
"rprivate"
],
"source": "/var/log/calico",
"type": "bind"
},
{
"destination": "/var/run/calico",
"options": [
"rbind",
"rprivate"
],
"source": "/var/run/calico",
"type": "bind"
},
{
"destination": "/etc/resolv.conf",
"options": [
"rbind",
"rprivate",
"ro"
],
"source": "/etc/resolv.conf",
"type": "bind"
},
{
"destination": "/etc/hostname",
"options": [
"rbind",
"rprivate",
"ro"
],
"source": "/etc/hostname",
"type": "bind"
},
{
"destination": "/etc/hosts",
"options": [
"rbind",
"rprivate",
"ro"
],
"source": "/etc/hosts",
"type": "bind"
},
{
"destination": "/felix-startup-1.log",
"options": [
"rbind",
"rprivate"
],
"source": "/var/run/calico/node/felix-startup-1.log",
"type": "bind"
},
{
"destination": "/felix-startup-2.log",
"options": [
"rbind",
"rprivate"
],
"source": "/var/run/calico/node/felix-startup-2.log",
"type": "bind"
},
{
"destination": "/etc/envvars",
"options": [
"rbind",
"rprivate"
],
"source": "/var/run/calico/node/envvars",
"type": "bind"
},
{
"destination": "/startup.env",
"options": [
"rbind",
"rprivate"
],
"source": "/var/run/calico/node/startup.env",
"type": "bind"
},
{
"destination": "/etc/service/enabled",
"options": [
"nodev"
],
"source": "tmpfs",
"type": "tmpfs"
},
{
"destination": "/etc/calico/confd/conf.d",
"options": [
"rbind",
"rprivate"
],
"source": "/var/run/calico/node/confd/conf.d",
"type": "bind"
},
{
"destination": "/etc/calico/confd/config",
"options": [
"noexec",
"nodev"
],
"source": "tmpfs",
"type": "tmpfs"
},
{
"destination": "/run",
"options": [
"noexec",
"nodev"
],
"source": "tmpfs",
"type": "tmpfs"
},
{
"destination": "/tmp",
"options": [
"nodev"
],
"source": "tmpfs",
"type": "tmpfs"
},
{
"destination": "/run/docker/plugins",
"options": [
"rbind",
"rprivate"
],
"source": "/run/docker/plugins",
"type": "bind"
},
{
"destination": "/var/run/docker.sock",
"options": [
"rbind",
"rprivate"
],
"source": "/var/run/docker.sock",
"type": "bind"
}
],
"ociVersion": "0.6.0-dev",
"platform": {
"arch": "amd64",
"os": "linux"
},
"process": {
"args": [
"/sbin/start_runit"
],
"capabilities": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_DAC_READ_SEARCH",
"CAP_FOWNER",
"CAP_FSETID",
"CAP_KILL",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETPCAP",
"CAP_LINUX_IMMUTABLE",
"CAP_NET_BIND_SERVICE",
"CAP_NET_BROADCAST",
"CAP_NET_ADMIN",
"CAP_NET_RAW",
"CAP_IPC_LOCK",
"CAP_IPC_OWNER",
"CAP_SYS_MODULE",
"CAP_SYS_RAWIO",
"CAP_SYS_CHROOT",
"CAP_SYS_PTRACE",
"CAP_SYS_PACCT",
"CAP_SYS_ADMIN",
"CAP_SYS_BOOT",
"CAP_SYS_NICE",
"CAP_SYS_RESOURCE",
"CAP_SYS_TIME",
"CAP_SYS_TTY_CONFIG",
"CAP_MKNOD",
"CAP_LEASE",
"CAP_AUDIT_WRITE",
"CAP_AUDIT_CONTROL",
"CAP_SETFCAP",
"CAP_MAC_OVERRIDE",
"CAP_MAC_ADMIN",
"CAP_SYSLOG",
"CAP_WAKE_ALARM",
"CAP_BLOCK_SUSPEND",
"CAP_AUDIT_READ"
],
"cwd": "/",
"env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"HOSTNAME={{HOSTNAME}}",
"ETCD_ENDPOINTS={{ETCD_ENDPOINTS}}",
"ETCD_SCHEME={{ETCD_SCHEME}}",
"ETCD_CA_FILE={{ETCD_CA_FILE}}",
"ETCD_CERT_FILE={{ETCD_CERT_FILE}}",
"ETCD_KEY_FILE={{ETCD_KEY_FILE}}",
"CALICO_NETWORKING_BACKEND={{CALICO_NETWORKING_BACKEND}}",
"CALICO_LIBNETWORK_ENABLED={{CALICO_LIBNETWORK_ENABLED}}",
"NO_DEFAULT_POOLS={{NO_DEFAULT_POOLS}}",
"AS={{AS}}",
"IP={{IP}}",
"IP6={{IP6}}",
"DOCKER_API_VERSION=1.21"
],
"noNewPrivileges": true,
"rlimits": [
{
"hard": 1024,
"soft": 1024,
"type": "RLIMIT_NOFILE"
}
],
"terminal": false,
"user": {}
},
"root": {
"path": "/opt/calico-node",
"readonly": true
}
}
You also generally need a unit file to launch this with (I'm using j2cli to do templating of the config.json):