[WIP] Support for direct-lvm Docker storage driver (#480)

* Support for direct-lvm Docker storage driver

* Add lvm2 package to inspector checks

* Use filepath.Abs

* Run block volume checks during preflight

* Remove lvm2 package to inspector checks

* Add lvm integration tests

* Minor lvm play changes

Author: alexbrand

ansible/_docker.yaml

@@ -1,7 +1,7 @@
 ---
   - hosts: master:worker:ingress:storage
     any_errors_fatal: true
-    name: "{{ play_name | default('Start Docker') }}"
+    name: "{{ play_name | default('Install Docker') }}"
     serial: "{{ serial_count | default('100%') }}"
     remote_user: root
     become_method: sudo
@@ -11,4 +11,6 @@
     roles:
       - role: packages-docker
         when: allow_package_installation|bool == true
-      - docker
+      - role: docker-storage
+        when: docker_direct_lvm_enabled|bool == true
+      - role: docker

ansible/group_vars/all.yaml

@@ -74,6 +74,13 @@ docker_certificates_key_file_name: docker-key.pem
 docker_certificates_cert_path: "{{ docker_install_dir }}/{{ docker_certificates_cert_file_name }}"
 docker_certificates_key_path: "{{ docker_install_dir }}/{{ docker_certificates_key_file_name }}"
 #===============================================================================
+# docker configuration
+# docker_direct_lvm_enabled: no default
+# docker_direct_lvm_block_device_path: no default
+# docker_direct_lvm_deferred_deletion_enabled: no default
+docker_device_mapper_thin_pool_autoextend_threshold: 80
+docker_device_mapper_thin_pool_autoextend_percent: 20
+#===============================================================================
 # calico
 # directories
 calico_dir: /etc/calico

ansible/roles/docker-storage/tasks/main.yaml

@@ -0,0 +1,33 @@
+---
+  - name: install lvm2 package
+    package:
+      name: lvm2
+      state: present
+    when: "ansible_os_family == 'RedHat'"
+  # Not using lvol and lvg ansible modules here as they are in preview
+  - name: create a physical volume on the block device
+    command: pvcreate {{ docker_direct_lvm_block_device_path }}
+    when: "ansible_os_family == 'RedHat'"
+  - name: create docker volume group
+    command: vgcreate docker {{ docker_direct_lvm_block_device_path }}
+    when: "ansible_os_family == 'RedHat'"
+  - name: create thinpool logical volume
+    command: lvcreate --wipesignatures y -n thinpool docker -l 95%VG
+    when: "ansible_os_family == 'RedHat'"
+  - name: create thinpoolmeta logical volume
+    command: lvcreate --wipesignatures y -n thinpoolmeta docker -l 1%VG
+    when: "ansible_os_family == 'RedHat'"
+  - name: convert the pool to a thin pool
+    command: lvconvert -y --zero n -c 512K --thinpool docker/thinpool --poolmetadata docker/thinpoolmeta
+    when: "ansible_os_family == 'RedHat'"
+  - name: create auto extension profile
+    template:
+      src: docker-thinpool.profile
+      dest: /etc/lvm/profile/docker-thinpool.profile
+    when: "ansible_os_family == 'RedHat'"
+  - name: apply lvm profile
+    command: lvchange --metadataprofile docker-thinpool docker/thinpool
+    when: "ansible_os_family == 'RedHat'"
+  - name: enable monitoring to ensure autoextend executes
+    command: lvchange --metadataprofile docker-thinpool docker/thinpool
+    when: "ansible_os_family == 'RedHat'"

ansible/roles/docker-storage/templates/docker-thinpool.profile

@@ -0,0 +1,4 @@
+activation {
+thin_pool_autoextend_threshold={{docker_device_mapper_thin_pool_autoextend_threshold}}
+thin_pool_autoextend_percent={{docker_device_mapper_thin_pool_autoextend_percent}}
+}

ansible/roles/docker/tasks/main.yaml

@@ -1,4 +1,13 @@
 ---
+  - name: create /etc/docker directory
+    file:
+      path: /etc/docker
+      state: directory
+  - name: write docker config file
+    template:
+      src: daemon.json
+      dest: /etc/docker/daemon.json
+    when: docker_direct_lvm_enabled|bool == true
   # start and verify that Docker installed succesfully and is running
   - name: start docker service
     service:

ansible/roles/docker/templates/daemon.json

@@ -0,0 +1,8 @@
+{
+  "storage-driver": "devicemapper",
+   "storage-opts": [
+     "dm.thinpooldev=/dev/mapper/docker-thinpool",
+     "dm.use_deferred_removal=true",
+     "dm.use_deferred_deletion={{docker_direct_lvm_deferred_deletion_enabled}}"
+   ]
+}

ansible/roles/preflight/tasks/direct_lvm_preflight.yaml

@@ -0,0 +1,18 @@
+---
+  - name: stat the block device path
+    stat:
+      path: "{{ docker_direct_lvm_block_device_path }}"
+    register: block_device_stat
+  - name: fail if the block device does not exists
+    fail:
+      msg: "Block device specified for docker storage does not exist."
+    when: block_device_stat.stat.exists == False
+  - name: fail if the provided path is not a block device
+    fail:
+      msg: "{{ docker_direct_lvm_block_device_path }} is not a block device."
+    when: block_device_stat.stat.isblk == False
+  - name: fail if the block device is already mounted
+    fail:
+      msg: "Block deviced specified for docker storage is currently mounted. This should be an unmounted, unused device"
+    with_items: ansible_mounts
+    when: item.device == "{{ docker_direct_lvm_block_device_path }}"

ansible/roles/preflight/tasks/main.yaml

@@ -73,6 +73,10 @@
       loop_var: outer_item # Define this (even thought we don't use it) so that ansible doesn't complain.
     when: "'worker' in group_names"
 
+  - name: Validate devicemapper direct-lvm block device
+    include: direct_lvm_preflight.yaml
+    when: "ansible_os_family == 'RedHat' and docker_direct_lvm_enabled|bool == true and ('master' in group_names or 'worker' in group_names or 'ingress' in group_names or 'storage' in group_names)"
+
   # setup Kismatic Inspector
   - name: copy Kismatic Inspector to node
     copy:

integration/aws/client.go

@@ -106,7 +106,7 @@ func (c *Client) prepareSession() error {
 
 // CreateNode is for creating a machine on AWS using the given AMI and InstanceType.
 // Returns the ID of the newly created machine.
-func (c Client) CreateNode(ami AMI, instanceType InstanceType) (string, error) {
+func (c Client) CreateNode(ami AMI, instanceType InstanceType, addBlockDevice bool) (string, error) {
 	api, err := c.getEC2APIClient()
 	if err != nil {
 		return "", err
@@ -129,6 +129,16 @@ func (c Client) CreateNode(ami AMI, instanceType InstanceType) (string, error) {
 		KeyName:          aws.String(c.Config.Keyname),
 		SecurityGroupIds: []*string{aws.String(c.Config.SecurityGroupID)},
 	}
+	if addBlockDevice {
+		ebs := ec2.BlockDeviceMapping{
+			DeviceName: aws.String("/dev/sdb"),
+			Ebs: &ec2.EbsBlockDevice{
+				DeleteOnTermination: aws.Bool(true),
+				VolumeSize:          aws.Int64(10),
+			},
+		}
+		req.BlockDeviceMappings = append(req.BlockDeviceMappings, &ebs)
+	}
 	res, err := api.RunInstances(req)
 	if err != nil {
 		return "", err

integration/framework.go

@@ -116,6 +116,28 @@ func WithMiniInfrastructure(distro linuxDistro, provisioner infrastructureProvis
 	f(nodes.worker[0], sshKey)
 }
 
+// WithMiniInfrastructureAndBlockDevice  runs the spec with the requested infrastructure and an additiona block device
+// The block will be under /dev/xvdb on AWS
+func WithMiniInfrastructureAndBlockDevice(distro linuxDistro, provisioner infrastructureProvisioner, f miniInfraDependentTest) {
+	By("Provisioning minikube node")
+	start := time.Now()
+	nodes, err := provisioner.ProvisionNodes(NodeCount{Worker: 1}, distro, []string{"block_device"}...)
+	if !leaveIt() {
+		defer provisioner.TerminateNodes(nodes)
+	}
+	Expect(err).ToNot(HaveOccurred())
+	fmt.Println("Provisioning node took", time.Since(start))
+
+	By("Waiting until nodes are SSH-accessible")
+	start = time.Now()
+	sshKey := provisioner.SSHKey()
+	err = waitForSSH(nodes, sshKey)
+	Expect(err).ToNot(HaveOccurred())
+	fmt.Println("Waiting for SSH took", time.Since(start))
+
+	f(nodes.worker[0], sshKey)
+}
+
 // SubDescribe allows you to define specifications inside another spec.
 // We have found the need for this because Gingko does not support
 // serializing a subset of tests when running in parallel. This means

integration/install.go

@@ -36,6 +36,7 @@ type installOptions struct {
 	dockerRegistryPort          int
 	dockerRegistryCAPath        string
 	modifyHostsFiles            bool
+	useDirectLVM                bool
 }
 
 func installKismaticMini(node NodeDeets, sshKey string) error {
@@ -82,6 +83,7 @@ func buildPlan(nodes provisionedNodes, installOpts installOptions, sshKey string
 		DockerRegistryIP:             installOpts.dockerRegistryIP,
 		DockerRegistryPort:           installOpts.dockerRegistryPort,
 		ModifyHostsFiles:             installOpts.modifyHostsFiles,
+		UseDirectLVM:                 installOpts.useDirectLVM,
 	}
 	return plan
 }

integration/install_test.go

@@ -119,6 +119,44 @@ var _ = Describe("kismatic", func() {
 			})
 		})
 
+		Context("when using direct-lvm docker storage", func() {
+			installOpts := installOptions{
+				allowPackageInstallation: true,
+				useDirectLVM:             true,
+			}
+			Context("when targetting CentOS", func() {
+				ItOnAWS("should install successfully", func(aws infrastructureProvisioner) {
+					WithMiniInfrastructureAndBlockDevice(CentOS7, aws, func(node NodeDeets, sshKey string) {
+						theNode := []NodeDeets{node}
+						nodes := provisionedNodes{
+							etcd:    theNode,
+							master:  theNode,
+							worker:  theNode,
+							ingress: theNode,
+						}
+						err := installKismatic(nodes, installOpts, sshKey)
+						Expect(err).ToNot(HaveOccurred())
+					})
+				})
+			})
+
+			Context("when targetting RHEL", func() {
+				ItOnAWS("should install successfully", func(aws infrastructureProvisioner) {
+					WithMiniInfrastructureAndBlockDevice(RedHat7, aws, func(node NodeDeets, sshKey string) {
+						theNode := []NodeDeets{node}
+						nodes := provisionedNodes{
+							etcd:    theNode,
+							master:  theNode,
+							worker:  theNode,
+							ingress: theNode,
+						}
+						err := installKismatic(nodes, installOpts, sshKey)
+						Expect(err).ToNot(HaveOccurred())
+					})
+				})
+			})
+		})
+
 		// This spec will be used for testing non-destructive kismatic features on
 		// a new cluster.
 		// This spec is open to modification when new assertions have to be made

integration/plan_patterns.go

@@ -23,6 +23,7 @@ type PlanAWS struct {
 	DockerRegistryPort           int
 	DockerRegistryCAPath         string
 	ModifyHostsFiles             bool
+	UseDirectLVM                 bool
 }
 
 const planAWSOverlay = `cluster:
@@ -44,7 +45,13 @@ const planAWSOverlay = `cluster:
   ssh:
     user: {{.SSHUser}}
     ssh_key: {{.SSHKeyFile}}
-    ssh_port: 22
+    ssh_port: 22{{if .UseDirectLVM}}
+docker:
+  storage:
+    direct_lvm:
+      enabled: true
+      block_device: "/dev/xvdb"
+      enable_deferred_deletion: false{{end}}
 docker_registry:
   setup_internal: {{.AutoConfiguredDockerRegistry}}
   address: {{.DockerRegistryIP}}

integration/provision.go

@@ -27,7 +27,7 @@ const (
 )
 
 type infrastructureProvisioner interface {
-	ProvisionNodes(NodeCount, linuxDistro) (provisionedNodes, error)
+	ProvisionNodes(NodeCount, linuxDistro, ...string) (provisionedNodes, error)
 	TerminateNodes(provisionedNodes) error
 	TerminateNode(NodeDeets) error
 	SSHKey() string
@@ -147,7 +147,7 @@ func AWSClientFromEnvironment() (infrastructureProvisioner, bool) {
 	return p, true
 }
 
-func (p awsProvisioner) ProvisionNodes(nodeCount NodeCount, distro linuxDistro) (provisionedNodes, error) {
+func (p awsProvisioner) ProvisionNodes(nodeCount NodeCount, distro linuxDistro, opts ...string) (provisionedNodes, error) {
 	var ami aws.AMI
 	switch distro {
 	case Ubuntu1604LTS:
@@ -159,38 +159,45 @@ func (p awsProvisioner) ProvisionNodes(nodeCount NodeCount, distro linuxDistro)
 	default:
 		panic(fmt.Sprintf("Used an unsupported distribution: %s", distro))
 	}
+	var addBlockDevice bool
+	for _, o := range opts {
+		if o == "block_device" {
+			addBlockDevice = true
+		}
+	}
+
 	provisioned := provisionedNodes{}
 	var i uint16
 	for i = 0; i < nodeCount.Etcd; i++ {
-		nodeID, err := p.client.CreateNode(ami, aws.T2Medium)
+		nodeID, err := p.client.CreateNode(ami, aws.T2Medium, addBlockDevice)
 		if err != nil {
 			return provisioned, err
 		}
 		provisioned.etcd = append(provisioned.etcd, NodeDeets{id: nodeID})
 	}
 	for i = 0; i < nodeCount.Master; i++ {
-		nodeID, err := p.client.CreateNode(ami, aws.T2Medium)
+		nodeID, err := p.client.CreateNode(ami, aws.T2Medium, addBlockDevice)
 		if err != nil {
 			return provisioned, err
 		}
 		provisioned.master = append(provisioned.master, NodeDeets{id: nodeID})
 	}
 	for i = 0; i < nodeCount.Worker; i++ {
-		nodeID, err := p.client.CreateNode(ami, aws.T2Medium)
+		nodeID, err := p.client.CreateNode(ami, aws.T2Medium, addBlockDevice)
 		if err != nil {
 			return provisioned, err
 		}
 		provisioned.worker = append(provisioned.worker, NodeDeets{id: nodeID})
 	}
 	for i = 0; i < nodeCount.Ingress; i++ {
-		nodeID, err := p.client.CreateNode(ami, aws.T2Medium)
+		nodeID, err := p.client.CreateNode(ami, aws.T2Medium, addBlockDevice)
 		if err != nil {
 			return provisioned, err
 		}
 		provisioned.ingress = append(provisioned.ingress, NodeDeets{id: nodeID})
 	}
 	for i = 0; i < nodeCount.Storage; i++ {
-		nodeID, err := p.client.CreateNode(ami, aws.T2Medium)
+		nodeID, err := p.client.CreateNode(ami, aws.T2Medium, addBlockDevice)
 		if err != nil {
 			return provisioned, err
 		}
@@ -329,7 +336,7 @@ func packetClientFromEnv() (infrastructureProvisioner, bool) {
 	return p, true
 }
 
-func (p packetProvisioner) ProvisionNodes(nodeCount NodeCount, distro linuxDistro) (provisionedNodes, error) {
+func (p packetProvisioner) ProvisionNodes(nodeCount NodeCount, distro linuxDistro, _ ...string) (provisionedNodes, error) {
 	var packetDistro packet.OS
 	switch distro {
 	case Ubuntu1604LTS:

pkg/ansible/clustercatalog.go

@@ -63,6 +63,10 @@ type ClusterCatalog struct {
 
 	DiagnosticsDirectory string `yaml:"diagnostics_dir"`
 	DiagnosticsDateTime  string `yaml:"diagnostics_date_time"`
+
+	DockerDirectLVMEnabled                 bool   `yaml:"docker_direct_lvm_enabled"`
+	DockerDirectLVMBlockDevicePath         string `yaml:"docker_direct_lvm_block_device_path"`
+	DockerDirectLVMDeferredDeletionEnabled bool   `yaml:"docker_direct_lvm_deferred_deletion_enabled"`
 }
 
 type NFSVolume struct {

pkg/install/execute.go

@@ -697,6 +697,12 @@ func (ae *ansibleExecutor) buildClusterCatalog(p *Plan) (*ansible.ClusterCatalog
 		cc.DockerRegistryPort = "8443"
 	} // Else just use DockerHub
 
+	// Setup docker options
+	cc.DockerDirectLVMEnabled = p.Docker.Storage.DirectLVM.Enabled
+	if cc.DockerDirectLVMEnabled {
+		cc.DockerDirectLVMBlockDevicePath = p.Docker.Storage.DirectLVM.BlockDevice
+		cc.DockerDirectLVMDeferredDeletionEnabled = p.Docker.Storage.DirectLVM.EnableDeferredDeletion
+	}
 	if ae.options.RestartServices {
 		cc.EnableRestart()
 	}

pkg/install/plan.go

@@ -218,4 +218,7 @@ var commentMap = map[string]string{
 	"nfs":                      "A set of NFS volumes for use by on-cluster persistent workloads, managed by Kismatic.",
 	"nfs_host":                 "The host name or ip address of an NFS server.",
 	"mount_path":               "The mount path of an NFS share. Must start with /",
+	"direct_lvm":               "Configure devicemapper in direct-lvm mode (RHEL/CentOS only).",
+	"block_device":             "Path to the block device that will be used for direct-lvm mode. This device will be wiped and used exclusively by docker.",
+	"enable_deferred_deletion": "Set to true if you want to enable deferred deletion when using direct-lvm mode.",
 }