From 8b7d695d43c78025d6beaf8be65963ef99a294e6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Dulko?= <mdulko@redhat.com>
Date: Fri, 15 Jun 2018 15:18:50 +0200
Subject: [PATCH] Fetch CONTAINERID from Docker API in kuryr-cni

In Kuryr CNI container's entrypoint we were talking to K8s API to get
the current container's CONTAINERID. This worked fine in most cases, but
in more busy environments the value may be not saved into the K8s API
yet and we end up with "null" as CONTAINERID. This obviously breaks
kuryr-cni script that's being injected onto the host.

Instead of implementing retries on "null" this commit uses another
approach and fetches CONTAINERID from Docker API.

Closes-Bug: 1777133

Change-Id: If0bbd55c4dc03077132b140a9a12cf6bd0f0cd03
---
 cni_ds_init | 44 ++++++++++++++++++++------------------------
 1 file changed, 20 insertions(+), 24 deletions(-)

diff --git a/cni_ds_init b/cni_ds_init
index 193002881..53a3d2358 100755
--- a/cni_ds_init
+++ b/cni_ds_init
@@ -6,35 +6,31 @@ function cleanup() {
 }
 
 function deploy() {
-    local serviceaccount_path
-    serviceaccount_path="/var/run/secrets/kubernetes.io/serviceaccount"
-
-    # Prepare token.
-    KUBE_TOKEN=$(<${serviceaccount_path}/token)
-    POD_NAMESPACE=$(<${serviceaccount_path}/namespace)
-
-    CONTAINERID=""
-    x=0
-    while [ -z ${CONTAINERID} ] && [ $x -lt 9 ]; do
-        sleep 5
-
-        CONTAINERID=$(curl -vvv -H "Authorization: Bearer $KUBE_TOKEN" --cacert ${serviceaccount_path}/ca.crt \
-          https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS}/api/v1/namespaces/${POD_NAMESPACE}/pods/${KURYR_CNI_POD_NAME} | jq -r '.["status"]["containerStatuses"][0]["containerID"]')
-
-        CONTAINERID=${CONTAINERID#*//}
-        ((x++)) || true
-    done;
-
-    # There's no point to run if we cannot get CONTAINERID.
-    if [ -z ${CONTAINERID} ]; then
-        exit 1
-    fi
+    POD_NAMESPACE=$(</var/run/secrets/kubernetes.io/serviceaccount/namespace)
 
     # Write the script to a file.
     cat > /kuryr-cni << EOF
 #!/bin/bash -x
+
+finder="
+import json
+import sys
+
+containers=json.load(sys.stdin)
+for container in containers:
+    if ('Labels' in container and
+            container['Labels'].get('io.kubernetes.pod.name') == '${KURYR_CNI_POD_NAME}' and
+            container['Labels'].get('io.kubernetes.pod.namespace') == '${POD_NAMESPACE}' and
+            container['Labels'].get('io.kubernetes.docker.type') == 'container'):
+        print(container['Id'])
+        break
+"
+
+# TODO(dulek): We might want to fetch socket path from config.
+CONTAINERID=\`curl --unix-socket /var/run/docker.sock http://v1.24/containers/json 2> /dev/null | python -c "\${finder}"\`
+
 envs=(\$(env | grep ^CNI_))
-docker exec \${envs[@]/#/--env } -i "${CONTAINERID}" kuryr-cni --config-file /etc/kuryr/kuryr.conf
+docker exec \${envs[@]/#/--env } -i "\${CONTAINERID}" kuryr-cni --config-file /etc/kuryr/kuryr.conf
 EOF
 
     # Copy the script into the designated location