*: Add --pid-namespace=[container|pod|pod-container] #1280
Conversation
|
Hi @wking. Thanks for your PR. I'm waiting for a openshift or kubernetes-incubator member to verify that this patch is reasonable to test. If it is, they should reply with I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Can anyone reproduce Travis' |
|
@wking You might want to try running |
|
On Mon, Jan 22, 2018 at 11:45:09PM +0000, Matthew Heon wrote:
You might want to try running `gofmt` on the directory containing
the file…
That didn't work either :/. I've filed #1281 to get more helpful
error messages.
|
|
We want to support this through k8s. See kubernetes/community#1048 for details. |
It looks like the upstream plan is to leave the |
This allows us to launch containers that create new PID namespaces within an existing PID namespace that differs from the host PID namespace. One use-case is launching containers into a pod in per-container PID namespaces that are children of the pod's infra containter PID namespace (similar to the existing --enable-shared-pid-namespace, but where the worker containers cannot see each other or back up into the infra container). Signed-off-by: W. Trevor King <[email protected]>
lib/config.go
Outdated
| // namespace with the non-infra containers in per-container PID | ||
| // namespaces that are children of the pod's infra PID namespace . | ||
| // A 'hostPID' Kubernetes pod specification overrides this setting. | ||
| PIDNamespace string `toml:"pid_namespace"` // FIXME: should this be an enum type? |
There was a problem hiding this comment.
The FIXME comment is what Travis is complaining about, and we don't want to land that comment anyway. Maintainers, would you prefer an enum or a string for this property? I'm fine either way.
There was a problem hiding this comment.
We don't want options for all possible pid namespace sharing options at the daemon level.
We only want to be able to distinguish whether we want pod or pod-container when k8s passes us POD as the sharing option:
enum NamespaceMode {
POD = 0;
CONTAINER = 1;
NODE = 2;
TARGET = 3;
}
There was a problem hiding this comment.
The reason we had the option at the daemon level was because pid namespace support wasn't fully baked in k8s and we wanted a control at the daemon level. With the upcoming changes, we can do what k8s requests through the API and choice will be down to what to do when we get POD as the setting.
There was a problem hiding this comment.
The reason we had the option at the daemon level was because pid namespace support wasn't fully baked in k8s…
kubernetes/community#1048 should help with this, but I'm not clear on the deployment procedure. Wouldn't we need changes to kubernetes/api to implement
kubernetes/community#1048 before we could rely on them here? And until we have k8s API support for kubernetes/community#1048, I'm not sure how to adjust this. Should we just table this PR until there is k8s API support for kubernetes/community#1048?
And either way, I think maintainers here are going to have to make a call on strings vs. enums for the CRI-O config. The kubernetes/community#1048 support question is just impacting the option name and scope, we'll still need an option that takes string arguments on the command line, and holds that configuration in Go.
There was a problem hiding this comment.
kubernetes/community#1048 should help with this, but I'm not clear on the deployment procedure. Wouldn't we need changes to kubernetes/api to implement
kubernetes/community#1048 before we could rely on them here? And until we have k8s API support for kubernetes/community#1048, I'm not sure how to adjust this. Should we just table this PR until there is k8s API support for kubernetes/community#1048?
Yes, we can wait for the implementation of 1048 to land: kubernetes/kubernetes#58716
And either way, I think maintainers here are going to have to make a call on strings vs. enums for the CRI-O config. The kubernetes/community#1048 support question is just impacting the option name and scope, we'll still need an option that takes string arguments on the command line, and holds that configuration in Go.
We can use the approach that we have for ImageVolumes where we have defined a custom type.
So crio callers can pick their PID namespace approach. This seems
like something that folks might want to configure per-pod, or possibly
even per-container, but for now follow --enable-shared-pid-namespace
and make it per-crio-daemon.
The "Deprecated:" paragraph approach in Go comments is recommended in
[1].
The ${parameter:+word} syntax is in POSIX [2], and
${REDIS_IN_INFRA:+!} resolves to ! when REDIS_IN_INFRA is set
non-empty and resolves to nothing when REDIS_IN_INFRA is unset.
The ADDITIONAL_CRIO_OPTIONS approach is easier to maintain than the
old approach with settings for every option, because we no longer need
to maintain defaults in two locations (lib/config.go and
test/helpers.bash). For this commit, I've only dropped
ENABLE_SHARED_PID_NAMESPACE, but we may want to extend this approach
to more variables in the future.
PIDNamespaceType follows the ImageVolumes pattern at Mrunal's
recommendation [3].
[1]: https://blog.golang.org/godoc-documenting-go-code
[2]: http://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_06_02
[3]: cri-o#1280 (comment)
Signed-off-by: W. Trevor King <[email protected]>
|
I've pushed fe66d00 → 87121d8, switching the Go property from a string to a custom type. Once kubernetes/kubernetes#58716 lands, I'll update to take that into account as well. |
So crio callers can pick their PID namespace approach. This seems
like something that folks might want to configure per-pod, or possibly
even per-container, but for now follow --enable-shared-pid-namespace
and make it per-crio-daemon.
The "Deprecated:" paragraph approach in Go comments is recommended in
[1].
The ${parameter:+word} syntax is in POSIX [2], and
${REDIS_IN_INFRA:+!} resolves to ! when REDIS_IN_INFRA is set
non-empty and resolves to nothing when REDIS_IN_INFRA is unset.
The ADDITIONAL_CRIO_OPTIONS approach is easier to maintain than the
old approach with settings for every option, because we no longer need
to maintain defaults in two locations (lib/config.go and
test/helpers.bash). For this commit, I've only dropped
ENABLE_SHARED_PID_NAMESPACE, but we may want to extend this approach
to more variables in the future.
PIDNamespaceType follows the ImageVolumes pattern at Mrunal's
recommendation [3].
[1]: https://blog.golang.org/godoc-documenting-go-code
[2]: http://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_06_02
[3]: cri-o#1280 (comment)
Signed-off-by: W. Trevor King <[email protected]>
So crio callers can pick their PID namespace approach. This seems
like something that folks might want to configure per-pod, or possibly
even per-container, but for now follow --enable-shared-pid-namespace
and make it per-crio-daemon.
The "Deprecated:" paragraph approach in Go comments is recommended in
[1].
The ${parameter:+word} syntax is in POSIX [2], and
${REDIS_IN_INFRA:+${NOT}} resolves to ! when REDIS_IN_INFRA is set
non-empty and resolves to nothing when REDIS_IN_INFRA is unset. I'm
using :+${NOT} instead of :+!, because the latter is giving me:
$ echo "${REDIS_IN_INFRA:+!}"
bash: !}: event not found
$ echo "${BASH_VERSION}"
4.4.12(1)-release
regardless of whether REDIS_IN_INFRA is set.
The ADDITIONAL_CRIO_OPTIONS approach is easier to maintain than the
old approach with settings for every option, because we no longer need
to maintain defaults in two locations (lib/config.go and
test/helpers.bash). For this commit, I've only dropped
ENABLE_SHARED_PID_NAMESPACE, but we may want to extend this approach
to more variables in the future.
PIDNamespaceType follows the ImageVolumes pattern at Mrunal's
recommendation [3].
[1]: https://blog.golang.org/godoc-documenting-go-code
[2]: http://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_06_02
[3]: cri-o#1280 (comment)
Signed-off-by: W. Trevor King <[email protected]>
So crio callers can pick their PID namespace approach. This seems
like something that folks might want to configure per-pod, or possibly
even per-container, but for now follow --enable-shared-pid-namespace
and make it per-crio-daemon.
The "Deprecated:" paragraph approach in Go comments is recommended in
[1].
I tried to find a more compact form for the REDIS_IN_INFRA test, but:
* =~ is not in POSIX [2], so we need to use Bash's internal [[.
* '[ ! {expression} ]' is in POSIX [2], but Bash's [[ seems to look
for ! before doing variable expansion.
Because of those, we can't use POSIX's ${parameter:+word} [3]:
NOT="!"
[[ ${REDIS_IN_INFRA:+${NOT}} "$output" =~ "redis" ]]
and the best alternative I can find is the if/else that I've gone with
in this commit.
The ADDITIONAL_CRIO_OPTIONS approach is easier to maintain than the
old approach with settings for every option, because we no longer need
to maintain defaults in two locations (lib/config.go and
test/helpers.bash). For this commit, I've only dropped
ENABLE_SHARED_PID_NAMESPACE, but we may want to extend this approach
to more variables in the future.
PIDNamespaceType follows the ImageVolumes pattern at Mrunal's
recommendation [4].
[1]: https://blog.golang.org/godoc-documenting-go-code
[2]: http://pubs.opengroup.org/onlinepubs/9699919799/utilities/test.html
[3]: http://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_06_02
[4]: cri-o#1280 (comment)
Signed-off-by: W. Trevor King <[email protected]>
|
@wking needs a rebase. |
|
Hmm, #1324 may have brought in what I need. |
|
@wking Should we close this PR since we have the other PR on PIDNamespaces? |
No, the other doesn't support the pod-container approach. But you can flag this as blocked-on-submitter or some such until I have time to rebase it. |
|
Needs a rebase. |
|
@wking please rebase |
|
@umohnani8 @haircommander @wking @saschagrunert Working on this? Interns? Close? |
|
I still see it as valuable improvement and we should continue with it 😇 |
|
@giuseppe PTAL Could you take this over and get it merged or close it, if it does not apply any longer? |
it is an interesting feature but the rebase is not a trivial task. What is the best way to not lose track of it? Opening an issue? |
|
@giuseppe @mrunalp @haircommander @saschagrunert @kolyshkin @umohnani8 What should we do with this one? |
|
@wking: PR needs rebase. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
1 similar comment
|
@wking: PR needs rebase. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@mrunalp @rhatdan @haircommander could you please close this PR? (Based on comment from: #3601 (comment) Thanks! |
So
criocallers can pick their PID namespace approach. This seems like something that folks might want to configure per-pod, or possibly even per-container, but for now follow--enable-shared-pid-namespaceand make it per-crio-daemon.The “Deprecated:” paragraph approach in Go comments is recommended here.
The
${parameter:+word}syntax is in POSIX, and${REDIS_IN_INFRA:+!}resolves to!whenREDIS_IN_INFRAis set non-empty and resolves to nothing whenREDIS_IN_INFRAis unset.The
ADDITIONAL_CRIO_OPTIONSapproach is easier to maintain than the old approach with settings for every option, because we no longer need to maintain defaults in two locations (lib/config.goandtest/helpers.bash). For this pull request, I've only droppedENABLE_SHARED_PID_NAMESPACE, but we may want to extend this approach to more variables in the future.There's some related discussion in #1242.