etcd tweaks for running with kube ansible

* add etcdctl to host
* add cap for reading cert dir
* mount config dir
* copy and source config file from rpm rather than export all the values

Closes: #78
Approved by: giuseppe

etcd/Dockerfile

@@ -22,6 +22,13 @@ COPY uninstall.sh /usr/bin/uninstall.sh
 
 COPY tmpfiles.template config.json.template service.template manifest.json /exports/
 
+RUN mkdir -p /exports/hostfs/usr/local/bin/ && cp /usr/bin/etcdctl /exports/hostfs/usr/local/bin/etcdctl
+
+# RUN mkdir -p /exports/hostfs/usr/local/bin/ && echo "runc exec -- etcd /usr/bin/etcdctl \$@" \
+# > /exports/hostfs/usr/local/bin/etcdctl && chmod +x /exports/hostfs/usr/local/bin/etcdctl
+
+RUN mkdir -p /exports/hostfs/etc/etcd && cp /etc/etcd/etcd.conf /exports/hostfs/etc/etcd
+
 EXPOSE 4001 7001 2379 2380
 
 CMD ["/usr/bin/etcd-env.sh", "/usr/bin/etcd"]

etcd/config.json.template

@@ -59,26 +59,31 @@
 		"cwd": "/",
 		"capabilities": {
 			"bounding": [
+                                "CAP_DAC_READ_SEARCH",
 				"CAP_AUDIT_WRITE",
 				"CAP_KILL",
 				"CAP_NET_BIND_SERVICE"
 			],
 			"permitted": [
+                                "CAP_DAC_READ_SEARCH",
                                 "CAP_AUDIT_WRITE",
                                 "CAP_KILL",
                                 "CAP_NET_BIND_SERVICE"
                         ],
 			"inheritable": [
+                                "CAP_DAC_READ_SEARCH",
                                 "CAP_AUDIT_WRITE",
                                 "CAP_KILL",
                                 "CAP_NET_BIND_SERVICE"
                         ],
 			"effective": [
+                                "CAP_DAC_READ_SEARCH",
                                 "CAP_AUDIT_WRITE",
                                 "CAP_KILL",
                                 "CAP_NET_BIND_SERVICE"
                         ],
 			"ambient": [
+                                "CAP_DAC_READ_SEARCH",
                                 "CAP_AUDIT_WRITE",
                                 "CAP_KILL",
                                 "CAP_NET_BIND_SERVICE"
@@ -199,7 +204,17 @@
                                 "rbind",
                                 "rprivate"
                         ]
-        }
+                 },
+                 {
+                         "type": "bind",
+                         "source": "/etc/etcd/",
+                         "destination": "/etc/etcd/",
+                         "options": [
+                                 "rbind",
+                                 "ro",
+                                 "rprivate"
+                         ]
+                 }
 	],
 	"linux": {
 		"resources": {

etcd/etcd-env.sh

@@ -6,11 +6,11 @@ if test x$NAME == x; then
 fi
 export ETCD_NAME=${ETCD_NAME:-$HOSTNAME}
 export ETCD_DATA_DIR=/var/lib/etcd/${NAME}.etcd
-export ETCD_ADVERTISE_CLIENT_URLS=${ETCD_ADVERTISE_CLIENT_URLS:-http://${ipaddress}:2379,http://${ipaddress}:4001}
-export ETCD_LISTEN_CLIENT_URLS=${ETCD_LISTEN_CLIENT_URLS:-http://0.0.0.0:2379,http://0.0.0.0:4001}
-export ETCD_INITIAL_ADVERTISE_PEER_URLS=${ETCD_INITIAL_ADVERTISE_PEER_URLS:-http://${ipaddress}:2380,http://${ipaddress}:7001}
-export ETCD_LISTEN_PEER_URLS=${ETCD_LISTEN_PEER_URLS:-http://0.0.0.0:2380,http://0.0.0.0:7001}
-export ETCD_INITIAL_CLUSTER=${ETCD_INITIAL_CLUSTER:-$HOSTNAME=http://${ipaddress}:2380,$HOSTNAME=http://${ipaddress}:7001}
+
+sed -i s/ETCD_NAME.*/ETCD_NAME=$ETCD_NAME/g /etc/etcd/etcd.conf
+sed -i s/ETCD_DATA_DIR.*/ETCD_DATA_DIR=$ETCD_DATA_DIR/g /etc/etcd/etcd.conf
+
+source /etc/etcd/etcd.conf
 
 # Execute the commands passed to this script
 exec "$@"