Refactor to make more resilient

Author: kpouget

createdisk.sh

@@ -52,7 +52,7 @@ wait_for_ssh ${VM_NAME} ${VM_IP}
 if [ ${BUNDLE_TYPE} != "microshift" ]; then
     # Disable kubelet service
     ${SSH} core@${VM_IP} -- sudo systemctl disable kubelet
-    
+
     # Stop the kubelet service so it will not reprovision the pods
     ${SSH} core@${VM_IP} -- sudo systemctl stop kubelet
 fi
@@ -109,6 +109,8 @@ ${SSH} core@${VM_IP} 'sudo bash -x -s' <<EOF
 [Unit]
 Description=gvisor-tap-vsock Network Traffic Forwarder
 After=sys-devices-virtual-net-%i.device
+After=crc-env-file-exists.path
+After=crc-no-tap.service
 
 [Service]
 Restart=on-failure

systemd/crc-cluster-status.service

@@ -1,17 +1,17 @@
 [Unit]
 Description=CRC Unit checking if cluster is ready
+After=crc-env-file-exists.path
 After=crc-wait-apiserver-up.service crc-pullsecret.service
 After=ocp-mco-sshkey.service ocp-cluster-ca.service
 After=ocp-custom-domain.service ocp-userpasswords.service
 After=ocp-clusterid.service
 StartLimitIntervalSec=450
-StartLimitBurst=10
+StartLimitBurst=40
 
 [Service]
 Type=oneshot
 Restart=on-failure
-RestartSec=40
-EnvironmentFile=-/etc/sysconfig/crc-env
+RestartSec=10
 ExecCondition=/usr/local/bin/crc-self-sufficient-env.sh
 ExecStart=/usr/local/bin/crc-cluster-status.sh
 RemainAfterExit=true

systemd/crc-cluster-status.sh

@@ -7,6 +7,8 @@ set -o errtrace
 set -x
 
 export KUBECONFIG=/opt/kubeconfig
+MAXIMUM_LOGIN_RETRY=10
+RETRY_DELAY=5
 
 if [ ! -f /opt/crc/pass_kubeadmin ]; then
     echo "kubeadmin password file not found"
@@ -21,19 +23,41 @@ fi
 
 
 echo "Logging into OpenShift with kubeadmin user to update $KUBECONFIG"
-COUNTER=1
-MAXIMUM_LOGIN_RETRY=10
 
-# use a `(set +x)` subshell to avoid leaking the password
-until (set +x ; oc login --insecure-skip-tls-verify=true -u kubeadmin -p "$(cat /opt/crc/pass_kubeadmin)" https://api.crc.testing:6443 > /dev/null 2>&1); do
-    if [ "$COUNTER" -ge "$MAXIMUM_LOGIN_RETRY" ]; then
-        echo "Unable to login to the cluster..., authentication failed."
+try_login() {
+    (   # use a `(set +x)` subshell to avoid leaking the password
+        set +x
+        set +e # don't abort on error in this subshell
+        oc login --insecure-skip-tls-verify=true \
+           -u kubeadmin \
+           -p "$(cat /opt/crc/pass_kubeadmin)" \
+           https://api.crc.testing:6443 > /dev/null 2>&1
+    )
+    success="$?"
+    if [[ "$success" == 0 ]]; then
+        echo "Login successed"
+    else
+        echo "Login didn't complete ..."
+    fi
+
+    return "$success"
+}
+
+for ((counter=1; counter<=MAXIMUM_LOGIN_RETRY; counter++)); do
+    echo "Login attempt $counter/$MAXIMUM_LOGIN_RETRY…"
+    if try_login; then
+        break
+    fi
+    if (( counter == MAXIMUM_LOGIN_RETRY )); then
+        echo "Unable to login to the cluster after $counter attempts; authentication failed."
         exit 1
     fi
-    echo "Logging into OpenShift with updated credentials try $COUNTER, hang on...."
-    sleep 5
-    ((COUNTER++))
+    sleep "$RETRY_DELAY"
 done
 
 # need to set a marker to let `crc` know the cluster is ready
 touch /tmp/.crc-cluster-ready
+
+echo "All done"
+
+exit 0

systemd/crc-dnsmasq.service

@@ -1,16 +1,16 @@
 [Unit]
 Description=CRC Unit for configuring dnsmasq
 Wants=ovs-configuration.service
+After=crc-env-file-exists.path
 After=ovs-configuration.service
 Before=kubelet-dependencies.target
 StartLimitIntervalSec=30
 
 [Service]
 Type=oneshot
 Restart=on-failure
-EnvironmentFile=-/etc/sysconfig/crc-env
-ExecStartPre=/bin/systemctl start ovs-configuration.service
 ExecCondition=/usr/local/bin/crc-self-sufficient-env.sh
+ExecStartPre=/bin/systemctl start ovs-configuration.service
 ExecStart=/usr/local/bin/crc-dnsmasq.sh
 ExecStartPost=/usr/bin/systemctl restart NetworkManager.service
 ExecStartPost=/usr/bin/systemctl restart dnsmasq.service

systemd/crc-env-file-exists.path

@@ -0,0 +1,8 @@
+[Unit]
+Description=Wait for /etc/sysconfig/crc-env file to be populated
+
+[Path]
+PathExists=/etc/sysconfig/crc-env
+
+[Install]
+WantedBy=multi-user.target

systemd/crc-needs-tap.sh

@@ -0,0 +1,50 @@
+#!/bin/bash
+
+set -o pipefail
+set -o errexit
+set -o nounset
+set -o errtrace
+set -x
+
+source /etc/sysconfig/crc-env || echo "WARNING: crc-env not found"
+
+running_on_aws() {
+    # Set a timeout for the curl command
+    TIMEOUT=1
+
+    # Check the metadata service first
+    if curl -s -m $TIMEOUT http://169.254.169.254/latest/meta-data/instance-id > /dev/null 2>&1; then
+        echo "✅ Running on an AWS EC2 instance."
+        return 0
+
+        # As a fallback, check system information
+    elif [[ $(sudo cat /sys/class/dmi/id/product_name) == *"Amazon EC2"* ]]; then
+        echo "✅ Running on an AWS EC2 instance (detected via DMI)."
+        return 0
+    else
+        echo "❌ Not running on an AWS EC2 instance."
+        return 1
+    fi
+}
+
+NEED_TAP=0
+DONT_NEED_TAP=1
+
+if running_on_aws ; then
+    echo "Running on AWS. Don't need tap0."
+    exit $DONT_NEED_TAP
+fi
+
+if systemd-detect-virt | grep -E -q '^(kvm|apple|microsoft)$' ; then
+    echo "Running with '$(systemd-detect-virt)' virtualization. Need tap0."
+    exit $NEED_TAP
+fi
+
+if /usr/local/bin/crc-self-sufficient-env.sh; then
+    echo "Running with a self-sufficient bundle. Don't keep tap0"
+    exit $DONT_NEED_TAP
+fi
+
+echo "No particular environment detected. Don't keep tap0"
+
+exit $DONT_NEED_TAP

systemd/crc-no-tap.service

@@ -1,12 +1,15 @@
 [Unit]
-Description=Ensure that tap0 network configuration is absent on Apple Virtualization
+Description=Ensure that tap0 network configuration is disabled when not necessary
 Before=NetworkManager.service
+Before[email protected]
 After=local-fs.target
+After=crc-env-file-exists.path
 RequiresMountsFor=/etc/NetworkManager/system-connections
 
 [Service]
 Type=oneshot
-EnvironmentFile=-/etc/sysconfig/crc-env
+# start under the condition that CRC doesn't need TAP
+ExecCondition=/bin/bash -c '! /usr/local/bin/crc-needs-tap.sh'
 ExecStart=/usr/local/bin/crc-no-tap.sh
 
 [Install]

systemd/crc-no-tap.sh

@@ -1,10 +1,14 @@
 #!/bin/bash
 
-# Return true if running under Apple Virtualization or CRC_SELF_SUFFICIENT is set, otherwise false
+set -o pipefail
+set -o errexit
+set -o nounset
+set -o errtrace
+set -x
 
-if systemd-detect-virt | grep -q '^apple$' || [ -n "$CRC_SELF_SUFFICIENT" ]; then
-    rm -f /etc/NetworkManager/system-connections/tap0.nmconnection
-    systemctl disable --now gv-user-network@tap0.service
-fi
+echo "Disabling the tap0 network configuration ..."
+
+rm -f /etc/NetworkManager/system-connections/tap0.nmconnection
+systemctl disable --now [email protected] || true
 
 exit 0

systemd/crc-pullsecret.service

@@ -1,15 +1,15 @@
 [Unit]
 Description=CRC Unit for adding pull secret to cluster
+After=cloud-init-crc-env.path
 After=crc-wait-apiserver-up.service
 StartLimitIntervalSec=450
-StartLimitBurst=10
+StartLimitBurst=40
 ConditionPathExists=!/opt/crc/%n.done
 
 [Service]
 Type=oneshot
 Restart=on-failure
-RestartSec=40
-EnvironmentFile=-/etc/sysconfig/crc-env
+RestartSec=10
 ExecCondition=/usr/local/bin/crc-self-sufficient-env.sh
 ExecStart=/usr/local/bin/crc-pullsecret.sh
 ExecStartPost=-touch /opt/crc/%n.done

systemd/crc-pullsecret.sh

@@ -9,13 +9,14 @@ set -x
 source /usr/local/bin/crc-systemd-common.sh
 export KUBECONFIG="/opt/kubeconfig"
 
-wait_for_resource secret
+wait_for_resource_or_die secret
 
-set +x # disable the logging to avoid leaking the pull secrets
+set +x # /!\ disable the logging to avoid leaking the pull secrets
 
 # check if existing pull-secret is valid if not add the one from /opt/crc/pull-secret
-existingPsB64=$(oc get secret pull-secret -n openshift-config -o jsonpath="{['data']['\.dockerconfigjson']}")
-existingPs=$(echo "${existingPsB64}" | base64 -d)
+existingPs=$(oc get secret pull-secret -n openshift-config \
+                   -o jsonpath="{['data']['\.dockerconfigjson']}" \
+                    | base64 -d)
 
 # check if the .auths field is there
 if echo "${existingPs}" | jq -e 'has("auths")' >/dev/null 2>&1; then
@@ -24,9 +25,12 @@ if echo "${existingPs}" | jq -e 'has("auths")' >/dev/null 2>&1; then
 fi
 
 echo "Cluster doesn't have the pull secrets. Setting them from /opt/crc/pull-secret ..."
+
 pullSecretB64=$(base64 -w0 < /opt/crc/pull-secret)
 # Create the JSON patch in memory and pipe it to the oc command
 printf '{"data":{".dockerconfigjson": "%s"}}' "${pullSecretB64}" | \
-    oc patch secret pull-secret -n openshift-config --type merge --patch-file -
+    oc patch secret pull-secret -n openshift-config --type merge --patch-file=/dev/stdin
+
+echo "All done"
 
 exit 0