fleetlock is a reboot coordinator for Fedora CoreOS nodes in Kubernetes clusters. It implements the FleetLock protocol for use as a Zincati lock strategy backend.
Zincati runs on-host (zincati.service). Declare a Zincati fleet_lock strategy when provisioning Fedora CoreOS nodes. Set base_url for host nodes to access the in-cluster fleetlock Service (e.g. known ClusterIP).
variant: fcos
version: 1.4.0
storage:
files:
- path: /etc/zincati/config.d/55-update-strategy.toml
contents:
inline: |
[updates]
strategy = "fleet_lock"
[updates.fleet_lock]
base_url = "http://10.3.0.15/"Apply the fleetlock Deployment, Service (with ClusterIP), and ServiceAccount.
kubectl apply -f examples/k8s
Inspect the fleetlock Lease object.
$ kubectl get leases -n default
NAME HOLDER AGE
fleetlock-default 049ad0f57ade4723a48692b7b692c318 4m50s
Configure the server via flags.
| flag | description | default |
|---|---|---|
| -address | HTTP listen address | 0.0.0.0:8080 |
| -log-level | Logger level | info |
| -version | Show version | NA |
| -help | Show help | NA |
Or via environment variables.
| variable | description | default |
|---|---|---|
| NAMESPACE | Kubernetes Namespace | "default" |
| KUBECONFIG | Development Kubeconfig | NA |
For Typhoon clusters, add the Zincati config a snippet.
module "nemo" {
...
controller_snippets = [
file("./snippets/zincati-strategy.yaml"),
]
worker_snippets = [
file("./snippets/zincati-strategy.yaml"),
]
}fleetlock coordinates OS auto-updates to avoid concurrent node updates or a potential bad auto-update continuing. Zincati obtains a reboot lease lock before finalization (i.e reboot).
If an auto-update fails, the lease continues to be held by design. An admin should investigate the node failure and decide whether it is safe to remove the lease.
$ kubectl get leases
$ kubectl delete lease fleetlock-default
fleetlock serves Prometheus /metrics from Go, process, and custom collectors.
| name | description |
|---|---|
| fleetlock_lock_state | State of the fleetlock lease (0 unlocked, 1 locked) |
| fleetlock_lock_transition_count | Number of fleetlock lease transitions |
| fleetlock_lock_request_count | Number of lock requests |
| fleetlock_unlock_request_count | Number of unlock requests |
To develop locally, build and run the executable.
Build the static binary.
make build
Build the container image.
make image
Run the executable.
export KUBECONFIG=some-dev-kubeconfig
./bin/fleetlock
Use curl to emulate a Zincati FleetLock client.
{
"client_params": {
"id": "c988d2509fdf5cdcbed39037c56406fb",
"group": "default"
}
}Request a reboot lock.
curl -H "fleet-lock-protocol: true" -d @examples/body.json http://127.0.0.1:8080/v1/pre-reboot
Release a reboot lock.
curl -H "fleet-lock-protocol: true" -d @examples/body.json http://127.0.0.1:8080/v1/steady-state