fix: Revert removal of permissions change and update unit files

syself · Jan 6, 2025 · 64bcd06 · 64bcd06
1 parent b1a718f
commit 64bcd06
Show file tree

Hide file tree

Showing 7 changed files with 114 additions and 5 deletions.
diff --git a/templates/cluster-templates/bases/hcloud-kcp-ubuntu.yaml b/templates/cluster-templates/bases/hcloud-kcp-ubuntu.yaml
@@ -165,6 +165,22 @@ spec:
           nameserver 1.0.0.1
           nameserver 2606:4700:4700::1111
       - content: |
+          # Copyright The containerd Authors.
+          #
+          # Licensed under the Apache License, Version 2.0 (the "License");
+          # you may not use this file except in compliance with the License.
+          # You may obtain a copy of the License at
+          #
+          #     http://www.apache.org/licenses/LICENSE-2.0
+          #
+          # Unless required by applicable law or agreed to in writing, software
+          # distributed under the License is distributed on an "AS IS" BASIS,
+          # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+          # See the License for the specific language governing permissions and
+          # limitations under the License.
+          #
+          # https://raw.githubusercontent.com/containerd/containerd/main/containerd.service
+
           [Unit]
           Description=containerd container runtime
           Documentation=https://containerd.io
@@ -179,9 +195,14 @@ spec:
           KillMode=process
           Restart=always
           RestartSec=5
+
+          # Having non-zero Limit*s causes performance problems due to accounting overhead
+          # in the kernel. We recommend using cgroups to do container-local accounting.
           LimitNPROC=infinity
           LimitCORE=infinity
-          LimitNOFILE=infinity
+
+          # Comment TasksMax if your systemd version does not supports it.
+          # Only systemd 226 and above support this version.
           TasksMax=infinity
           OOMScoreAdjust=-999
 

diff --git a/templates/cluster-templates/bases/hetznerbaremetal-kcp-ubuntu.yaml b/templates/cluster-templates/bases/hetznerbaremetal-kcp-ubuntu.yaml
@@ -184,6 +184,22 @@ spec:
           nameserver 1.0.0.1
           nameserver 2606:4700:4700::1111
       - content: |
+          # Copyright The containerd Authors.
+          #
+          # Licensed under the Apache License, Version 2.0 (the "License");
+          # you may not use this file except in compliance with the License.
+          # You may obtain a copy of the License at
+          #
+          #     http://www.apache.org/licenses/LICENSE-2.0
+          #
+          # Unless required by applicable law or agreed to in writing, software
+          # distributed under the License is distributed on an "AS IS" BASIS,
+          # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+          # See the License for the specific language governing permissions and
+          # limitations under the License.
+          #
+          # https://raw.githubusercontent.com/containerd/containerd/main/containerd.service
+
           [Unit]
           Description=containerd container runtime
           Documentation=https://containerd.io
@@ -198,9 +214,14 @@ spec:
           KillMode=process
           Restart=always
           RestartSec=5
+
+          # Having non-zero Limit*s causes performance problems due to accounting overhead
+          # in the kernel. We recommend using cgroups to do container-local accounting.
           LimitNPROC=infinity
           LimitCORE=infinity
-          LimitNOFILE=infinity
+
+          # Comment TasksMax if your systemd version does not supports it.
+          # Only systemd 226 and above support this version.
           TasksMax=infinity
           OOMScoreAdjust=-999
 

diff --git a/templates/cluster-templates/bases/kct-md-0-ubuntu.yaml b/templates/cluster-templates/bases/kct-md-0-ubuntu.yaml
@@ -53,6 +53,22 @@ spec:
             nameserver 1.0.0.1
             nameserver 2606:4700:4700::1111
         - content: |
+          # Copyright The containerd Authors.
+          #
+          # Licensed under the Apache License, Version 2.0 (the "License");
+          # you may not use this file except in compliance with the License.
+          # You may obtain a copy of the License at
+          #
+          #     http://www.apache.org/licenses/LICENSE-2.0
+          #
+          # Unless required by applicable law or agreed to in writing, software
+          # distributed under the License is distributed on an "AS IS" BASIS,
+          # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+          # See the License for the specific language governing permissions and
+          # limitations under the License.
+          #
+          # https://raw.githubusercontent.com/containerd/containerd/main/containerd.service
+
           [Unit]
           Description=containerd container runtime
           Documentation=https://containerd.io
@@ -67,9 +83,14 @@ spec:
           KillMode=process
           Restart=always
           RestartSec=5
+
+          # Having non-zero Limit*s causes performance problems due to accounting overhead
+          # in the kernel. We recommend using cgroups to do container-local accounting.
           LimitNPROC=infinity
           LimitCORE=infinity
-          LimitNOFILE=infinity
+
+          # Comment TasksMax if your systemd version does not supports it.
+          # Only systemd 226 and above support this version.
           TasksMax=infinity
           OOMScoreAdjust=-999
 

diff --git a/templates/node-image/1.28.9-ubuntu-22-04-containerd/scripts/cri.sh b/templates/node-image/1.28.9-ubuntu-22-04-containerd/scripts/cri.sh
@@ -49,6 +49,22 @@ EOF
 
 # Create containerd systemd unit
 cat >/etc/systemd/system/containerd.service <<'EOF'
+# Copyright The containerd Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# https://raw.githubusercontent.com/containerd/containerd/main/containerd.service
+
 [Unit]
 Description=containerd container runtime
 Documentation=https://containerd.io
@@ -57,14 +73,20 @@ After=network.target local-fs.target dbus.service
 [Service]
 ExecStartPre=-/sbin/modprobe overlay
 ExecStart=/usr/local/bin/containerd
+
 Type=notify
 Delegate=yes
 KillMode=process
 Restart=always
 RestartSec=5
+
+# Having non-zero Limit*s causes performance problems due to accounting overhead
+# in the kernel. We recommend using cgroups to do container-local accounting.
 LimitNPROC=infinity
 LimitCORE=infinity
-LimitNOFILE=infinity
+
+# Comment TasksMax if your systemd version does not supports it.
+# Only systemd 226 and above support this version.
 TasksMax=infinity
 OOMScoreAdjust=-999
 

diff --git a/templates/node-image/1.28.9-ubuntu-22-04-containerd/scripts/kubernetes.sh b/templates/node-image/1.28.9-ubuntu-22-04-containerd/scripts/kubernetes.sh
@@ -36,6 +36,7 @@ kubeadm config images pull --kubernetes-version $KUBERNETES_VERSION
 
 # Sets permission accordingly to CIS Benchmark
 chmod -R 644 /etc/cni
+chown -R root:root /etc/cni
 
 # enable completion
 echo 'source <(kubectl completion bash)' >>/root/.bashrc

diff --git a/templates/node-image/1.29.4-ubuntu-22-04-containerd/scripts/cri.sh b/templates/node-image/1.29.4-ubuntu-22-04-containerd/scripts/cri.sh
@@ -49,6 +49,22 @@ EOF
 
 # Create containerd systemd unit
 cat >/etc/systemd/system/containerd.service <<'EOF'
+# Copyright The containerd Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# https://raw.githubusercontent.com/containerd/containerd/main/containerd.service
+
 [Unit]
 Description=containerd container runtime
 Documentation=https://containerd.io
@@ -57,14 +73,20 @@ After=network.target local-fs.target dbus.service
 [Service]
 ExecStartPre=-/sbin/modprobe overlay
 ExecStart=/usr/local/bin/containerd
+
 Type=notify
 Delegate=yes
 KillMode=process
 Restart=always
 RestartSec=5
+
+# Having non-zero Limit*s causes performance problems due to accounting overhead
+# in the kernel. We recommend using cgroups to do container-local accounting.
 LimitNPROC=infinity
 LimitCORE=infinity
-LimitNOFILE=infinity
+
+# Comment TasksMax if your systemd version does not supports it.
+# Only systemd 226 and above support this version.
 TasksMax=infinity
 OOMScoreAdjust=-999
 

diff --git a/templates/node-image/1.29.4-ubuntu-22-04-containerd/scripts/kubernetes.sh b/templates/node-image/1.29.4-ubuntu-22-04-containerd/scripts/kubernetes.sh
@@ -36,6 +36,7 @@ kubeadm config images pull --kubernetes-version $KUBERNETES_VERSION
 
 # Sets permission accordingly to CIS Benchmark
 chmod -R 644 /etc/cni
+chown -R root:root /etc/cni
 
 # enable completion
 echo 'source <(kubectl completion bash)' >>/root/.bashrc