From 2054a98cf7d846007915c60f9709973bed104917 Mon Sep 17 00:00:00 2001
From: Florent Monbillard <f.monbillard@gmail.com>
Date: Mon, 28 Jan 2019 05:00:49 -0500
Subject: [PATCH] Run kubeadm and hyperkube outside of local_release_dir
 (#4098)

Addressing the discussion started in #4064, this PR moves kubeadm and
hyperkube binaries to /usr/local/bin before running them on the master
nodes.

It is to address the case where local_release_dir points to /tmp
(kubespray default) and /tmp is mounted with noexec mode, preventing
any binaries to be run in that partition.

In role "node", we still move kubeadm to bin_dir only on the worker
nodes.
---
 roles/download/tasks/kubeadm_images.yml | 18 ++++++++++++++++-
 roles/kubernetes/node/tasks/install.yml | 26 +++++++++++++++++++++++++
 roles/kubernetes/node/tasks/main.yml    |  2 +-
 3 files changed, 44 insertions(+), 2 deletions(-)

diff --git a/roles/download/tasks/kubeadm_images.yml b/roles/download/tasks/kubeadm_images.yml
index 6492151d1..a166a35ab 100644
--- a/roles/download/tasks/kubeadm_images.yml
+++ b/roles/download/tasks/kubeadm_images.yml
@@ -4,5 +4,21 @@
     src: "kubeadm-images.yaml.j2"
     dest: "{{ kube_config_dir }}/kubeadm-images.yaml"
 
+- name: kubeadm | Copy kubeadm binary from download dir
+  synchronize:
+    src: "{{ local_release_dir }}/kubeadm"
+    dest: "{{ bin_dir }}/kubeadm"
+    compress: no
+    perms: yes
+    owner: no
+    group: no
+  delegate_to: "{{ inventory_hostname }}"
+
+- name: kubeadm | Set kubeadm binary permissions
+  file:
+    path: "{{ bin_dir }}/kubeadm"
+    mode: "0755"
+    state: file
+
 - name: container_download | download images for kubeadm config images
-  command: "{{ local_release_dir }}/kubeadm config images pull --config={{ kube_config_dir }}/kubeadm-images.yaml"
+  command: "{{ bin_dir }}/kubeadm config images pull --config={{ kube_config_dir }}/kubeadm-images.yaml"
diff --git a/roles/kubernetes/node/tasks/install.yml b/roles/kubernetes/node/tasks/install.yml
index 0cbd4bc9d..d5ef4279a 100644
--- a/roles/kubernetes/node/tasks/install.yml
+++ b/roles/kubernetes/node/tasks/install.yml
@@ -10,6 +10,8 @@
   delegate_to: "{{ inventory_hostname }}"
   tags:
     - kubeadm
+  when:
+    - not inventory_hostname in groups['kube-master']
 
 - name: install | Set kubeadm binary permissions
   file:
@@ -18,6 +20,8 @@
     state: file
   tags:
     - kubeadm
+  when:
+    - not inventory_hostname in groups['kube-master']
 
 - name: install | Copy kubelet binary from download dir
   synchronize:
@@ -42,6 +46,28 @@
     - hyperkube
     - upgrade
 
+- name: install | Copy hyperkube binary from download dir
+  synchronize:
+    src: "{{ local_release_dir }}/hyperkube"
+    dest: "{{ bin_dir }}/hyperkube"
+    compress: no
+    perms: yes
+    owner: no
+    group: no
+  delegate_to: "{{ inventory_hostname }}"
+  tags:
+    - hyperkube
+    - upgrade
+
+- name: install | Set hyperkube binary permissions
+  file:
+    path: "{{ bin_dir }}/hyperkube"
+    mode: "0755"
+    state: file
+  tags:
+    - hyperkube
+    - upgrade
+
 - name: install | Copy socat wrapper for Container Linux
   command: "{{ docker_bin_dir }}/docker run --rm -v {{ bin_dir }}:/opt/bin {{ install_socat_image_repo }}:{{ install_socat_image_tag }}"
   args:
diff --git a/roles/kubernetes/node/tasks/main.yml b/roles/kubernetes/node/tasks/main.yml
index edf0b29e1..537abcd7e 100644
--- a/roles/kubernetes/node/tasks/main.yml
+++ b/roles/kubernetes/node/tasks/main.yml
@@ -152,7 +152,7 @@
     - kube-proxy
 
 - name: Cleanup kube-proxy leftovers from node
-  command: "{{ local_release_dir }}/hyperkube kube-proxy --cleanup"
+  command: "{{ bin_dir }}/hyperkube kube-proxy --cleanup"
   when:
     - kube_proxy_remove
   # `kube-proxy --cleanup`, being Ok as per shown WARNING, still returns 255 from above run (?)