- Introduction
- Kubernetes & OS Compatibility
- Installation
- Configuration
- Operation
- Building
- Frequently Asked/Anticipated Questions
- Getting Help
Kured (KUbernetes REboot Daemon) is a Kubernetes daemonset that performs safe automatic node reboots when the need to do so is indicated by the package management system of the underlying OS.
- Watches for the presence of a reboot sentinel e.g.
/var/run/reboot-required
- Utilises a lock in the API server to ensure only one node reboots at a time
- Optionally defers reboots in the presence of active Prometheus alerts or selected pods
- Cordons & drains worker nodes before reboot, uncordoning them after
The daemon image contains versions of k8s.io/client-go
and the
kubectl
binary for the purposes of maintaining the lock and draining
worker nodes. Kubernetes aims to provide forwards & backwards
compatibility of one minor version between client and server:
kured | kubectl | k8s.io/client-go | k8s.io/apimachinery | expected kubernetes compatibility |
---|---|---|---|---|
master | 1.18.2 | v0.18.2 | v0.18.2 | 1.17.x, 1.18.x, 1.19.x |
1.4.0 | 1.17.5 | v0.17.0 | v0.17.0 | 1.16.x, 1.17.x, 1.18.x |
1.3.0 | 1.15.10 | v12.0.0 | release-1.15 | 1.15.x, 1.16.x, 1.17.x |
1.2.0 | 1.13.6 | v10.0.0 | release-1.13 | 1.12.x, 1.13.x, 1.14.x |
1.1.0 | 1.12.1 | v9.0.0 | release-1.12 | 1.11.x, 1.12.x, 1.13.x |
1.0.0 | 1.7.6 | v4.0.0 | release-1.7 | 1.6.x, 1.7.x, 1.8.x |
See the release notes for specific version compatibility information, including which combination have been formally tested.
Versions >=1.1.0 enter the host mount namespace to invoke
systemctl reboot
, so should work on any systemd distribution.
To obtain a default installation without Prometheus alerting interlock or Slack notifications:
kubectl apply -f https://github.com/weaveworks/kured/releases/download/1.3.0/kured-1.3.0-dockerhub.yaml
If you want to customise the installation, download the manifest and edit it in accordance with the following section before application.
The following arguments can be passed to kured via the daemonset pod template:
Flags:
--alert-filter-regexp regexp.Regexp alert names to ignore when checking for active alerts
--blocking-pod-selector stringArray label selector identifying pods whose presence should prevent reboots
--ds-name string name of daemonset on which to place lock (default "kured")
--ds-namespace string namespace containing daemonset on which to place lock (default "kube-system")
--host-sentinel string path to file whose existence signals the undelying OS he can safely reboot now (external handling of reboot cmd)
--end-time string only reboot before this time of day (default "23:59")
-h, --help help for kured
--lock-annotation string annotation in which to record locking node (default "weave.works/kured-node-lock")
--period duration reboot check period (default 1h0m0s)
--prometheus-url string Prometheus instance to probe for active alerts
--reboot-days strings only reboot on these days (default [su,mo,tu,we,th,fr,sa])
--reboot-sentinel string path to file whose existence signals need to reboot (default "/var/run/reboot-required")
--slack-channel string slack channel for reboot notfications
--slack-hook-url string slack hook URL for reboot notfications
--slack-username string slack username for reboot notfications (default "kured")
--start-time string only reboot after this time of day (default "0:00")
--time-zone string use this timezone to calculate allowed reboot time (default "UTC")
By default kured checks for the existence of
/var/run/reboot-required
every sixty minutes; you can override these
values with --reboot-sentinel
and --period
. Each replica of the
daemon uses a random offset derived from the period on startup so that
nodes don't all contend for the lock simultaneously.
If your underlying hosts OS don't support nsenter
, as RancherOS, you
will need to handle the reboot externally. You can create a cronjob whose
function is to monitor the existance of the host-sentienl file. When it
exist, the node can safely call the reboot cmd.
write_files:
# Script to upgrade image OS if available (no reboot)
# Reboot is handled by K8S kured daemonset
- path: /var/lib/rancher/os-updater.sh
permissions: "0755"
owner: root
content: |
#!/bin/sh
source /usr/share/ros/os-release
STATUS=0
OS_LOCATION=`sudo ros os list | head -n1 | awk {'print $2'}`
OS_VERSION=`sudo ros os list | head -n1 | awk {'print $1'} | cut -d : -f 2`
if [ "$OS_LOCATION" == "local" ] && [ "$OS_VERSION" != "$VERSION" ]; then
echo "Upgrade available"
sudo ros os upgrade -f --no-reboot &>> /var/log/os-updater.log
STATUS=$?
if [ $STATUS -eq 0 ]; then
sudo touch /var/lib/rancher/update/need_to_reboot
else
echo "Upgrade failed"
fi
else
echo "No upgrade available"
fi
exit $STATUS
# Check if it's a good time to reboot
- path: /var/lib/rancher/os-rebooter.sh
permissions: "0755"
owner: root
content: |
#!/bin/sh
if [ -f /var/lib/rancher/update/reboot_now ] && [ -f /var/lib/rancher/update/need_to_reboot ]; then
sudo rm /var/lib/rancher/update/need_to_reboot
sudo rm /var/lib/rancher/update/reboot_now
sudo reboot
fi
# Rancher cronjob
rancher:
services:
# os-updater CRONJOB @hourly
os-updater:
image: rancher/os-base:v1.5.5
command: /var/lib/rancher/os-updater.sh
labels:
io.rancher.os.scope: "system"
cron.schedule: "0 0 * * * ?"
pid: host
privileged: true
volumes_from:
- all-volumes
# os-rebooter CRONJOB @minute
os-rebooter:
image: rancher/os-base:v1.5.5
command: /var/lib/rancher/os-rebooter.sh
labels:
io.rancher.os.scope: "system"
cron.schedule: "0 * * * * ?"
pid: host
privileged: true
volumes_from:
- all-volumes
By default, kured will reboot any time it detects the sentinel, but this
may cause reboots during odd hours. While service disruption does not
normally occur, anything is possible and operators may want to restrict
reboots to predictable schedules. Use --reboot-days
, --start-time
,
--end-time
, and --time-zone
to set a schedule. For example, business
hours on the west coast USA can be specified with:
--reboot-days mon,tue,wed,thu,fri
--start-time 9am
--end-time 5pm
--time-zone America/Los_Angeles
Times can be formatted in numerous ways, including 5pm
, 5:00pm
17:00
,
and 17
. --time-zone
represents a Go time.Location
, and can be UTC
,
Local
, or any entry in the standard Linux tz database.
Note that when using smaller time windows, you should consider shortening
the sentinel check period (--period
).
You may find it desirable to block automatic node reboots when there are active alerts - you can do so by providing the URL of your Prometheus server:
--prometheus-url=http://prometheus.monitoring.svc.cluster.local
By default the presence of any active (pending or firing) alerts will block reboots, however you can ignore specific alerts:
--alert-filter-regexp=^(RebootRequired|AnotherBenignAlert|...$
See the section on Prometheus metrics for an important application of this filter.
You can also block reboots of an individual node when specific pods are scheduled on it:
--blocking-pod-selector=runtime=long,cost=expensive
Since label selector strings use commas to express logical 'and', you can specify this parameter multiple times for 'or':
--blocking-pod-selector=runtime=long,cost=expensive
--blocking-pod-selector=name=temperamental
In this case, the presence of either an (appropriately labelled) expensive long running job or a known temperamental pod on a node will stop it rebooting.
Try not to abuse this mechanism - it's better to strive for restartability where possible. If you do use it, make sure you set up a RebootRequired alert as described in the next section so that you can intervene manually if reboots are blocked for too long.
Each kured pod exposes a single gauge metric (:8080/metrics
) that
indicates the presence of the sentinel file:
# HELP kured_reboot_required OS requires reboot due to software updates.
# TYPE kured_reboot_required gauge
kured_reboot_required{node="ip-xxx-xxx-xxx-xxx.ec2.internal"} 0
The purpose of this metric is to power an alert which will summon an operator if the cluster cannot reboot itself automatically for a prolonged period:
# Alert if a reboot is required for any machines. Acts as a failsafe for the
# reboot daemon, which will not reboot nodes if there are pending alerts save
# this one.
ALERT RebootRequired
IF max(kured_reboot_required) != 0
FOR 24h
LABELS { severity="warning" }
ANNOTATIONS {
summary = "Machine(s) require being rebooted, and the reboot daemon has failed to do so for 24 hours",
impact = "Cluster nodes more vulnerable to security exploits. Eventually, no disk space left.",
description = "Machine(s) require being rebooted, probably due to kernel update.",
}
If you choose to employ such an alert and have configured kured to
probe for active alerts before rebooting, be sure to specify
--alert-filter-regexp=^RebootRequired$
to avoid deadlock!
If you specify a Slack hook via --slack-hook-url
, kured will notify
you immediately prior to rebooting a node:
We recommend setting --slack-username
to be the name of the
environment, e.g. dev
or prod
.
The --ds-name
and --ds-namespace
arguments should match the name and
namespace of the daemonset used to deploy the reboot daemon - the locking is
implemented by means of an annotation on this resource. The defaults match
the daemonset YAML provided in the repository.
Similarly --lock-annotation
can be used to change the name of the
annotation kured will use to store the lock, but the default is almost
certainly safe.
The example commands in this section assume that you have not overriden the default lock annotation, daemonset name or namespace; if you have, you will have to adjust the commands accordingly.
You can test your configuration by provoking a reboot on a node:
sudo touch /var/run/reboot-required
If you need to temporarily stop kured from rebooting any nodes, you can take the lock manually:
kubectl -n kube-system annotate ds kured weave.works/kured-node-lock='{"nodeID":"manual"}'
Don't forget to release it afterwards!
In exceptional circumstances, such as a node experiencing a permanent failure whilst rebooting, manual intervention may be required to remove the cluster lock:
kubectl -n kube-system annotate ds kured weave.works/kured-node-lock-
NB the
-
at the end of the command is important - it instructskubectl
to remove that annotation entirely.
See the CircleCI config for the preferred version of Golang. Kured now uses Go Modules, so build instructions vary depending on where you have checked out the repository:
Building outside $GOPATH:
make
Building inside $GOPATH:
GO111MODULE=on make
If you are interested in contributing code to kured, please take a look at our development docs.
Use of latest
for production deployments is bad practice - see
here for
details. The manifest on master
refers to latest
for local
development testing with minikube only; for production use choose a
versioned manifest from the release page.
If you have any questions about, feedback for or problems with kured
:
- Invite yourself to the Weave Users Slack.
- Ask a question on the #kured slack channel.
- File an issue.
- Join us in our monthly meeting, every fourth Wednesday of the month at 16:00 UTC.
Your feedback is always welcome!