WIP Sandbox: drop infra and use pinns to configure sysctls #3474
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: haircommander The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
1 similar comment
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: haircommander The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
test/sysctl.bats
Outdated
| @@ -0,0 +1,54 @@ | |||
| #!/usr/bin/env bats | |||
There was a problem hiding this comment.
todo: remove this test, it was just for not needing to run the entire ctr.bats
Codecov Report
@@ Coverage Diff @@
## master #3474 +/- ##
==========================================
+ Coverage 43.95% 44.03% +0.08%
==========================================
Files 101 101
Lines 7770 7807 +37
==========================================
+ Hits 3415 3438 +23
- Misses 4056 4072 +16
+ Partials 299 297 -2 |
| return 0; | ||
| } | ||
|
|
||
| static int write_sysctl_to_file (char * sysctl_key, char* sysctl_value) |
There was a problem hiding this comment.
todo: give @giuseppe credit for this function
There was a problem hiding this comment.
could we use directly libcrun or is it overkill? It doesn't need to be linked and it could just be a git submodule
There was a problem hiding this comment.
It is kind of overkill. All the autoconf/automake configuration for a 15 line function ultimately doesn't seem worth it.
The interaction with libcrun was also awkward, because we need to call pinns before we write the config.json to disk. To get the sysctls from it, we needed to write a temporary one, then use it to configure the namespaces, then use those namespaces to configure the real one.
Ultimately, I like this flow better.
There was a problem hiding this comment.
I thought we could use directly the function without going through the config.json part.
But I agree autoconf/automake for a function is overkill :-)
b3197e3 to
1345fb2
Compare
|
/test e2e |
c7da1d4 to
8ea9545
Compare
|
/test integration_rhel |
55dfe5a to
60e9c99
Compare
some changes this includes:
allow for the infra container to not be created by the runtime, if sb.NeedsInfra() is false
add concept of a 'spoofed' container. This allows us to make calls to ID(), Name(), and Description() without having the runtime create the container
using spoof, change checks of podInfraContainer == nil to Spoofed(), as well as re-add Description() calls
reorder some infra container creation code
add unit tests for NeedsInfra and Spoofed
add integration test for drop infra
Signed-off-by: Peter Hunt <[email protected]>
Signed-off-by: Peter Hunt <[email protected]>
Signed-off-by: Peter Hunt <[email protected]>
Signed-off-by: Peter Hunt <[email protected]>
sysctls are configured in the runtime after the process unshares in the shared namespaces. since we aren't using a runtime, we need to repeat this step. After unsharing, but before binding, configure the sysctls for the namespace. Signed-off-by: Peter Hunt <[email protected]>
60e9c99 to
b1961cd
Compare
Signed-off-by: Peter Hunt <[email protected]>
b1961cd to
7531de8
Compare
|
/retest |
|
@haircommander: PR needs rebase. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@haircommander: PR needs rebase. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
| scontainer.SetSpec(&m) | ||
| scontainer.SetMountPoint(m.Annotations[annotations.MountPoint]) | ||
| var scontainer *oci.Container | ||
| if sb.NeedsInfra(c.config.ManageNSLifecycle) { |
There was a problem hiding this comment.
When NeedsInfra() returns true, infra container would still be instantiated.
From the subject of the PR, I thought infra container would be gone.
There was a problem hiding this comment.
yeah it's still being used to hold pod level information (and is likely needed to store it for a restore). The first step is to drop the container at the runtime level
| if err := s.CtrIDIndex().Delete(podInfraContainer.ID()); err != nil { | ||
| return nil, fmt.Errorf("failed to delete infra container %s in pod sandbox %s from index: %v", podInfraContainer.ID(), sb.ID(), err) | ||
| } | ||
| s.ReleaseContainerName(podInfraContainer.Name()) |
There was a problem hiding this comment.
We don't need the 'if podInfraContainer != nil ' check because there would be spoofed container if infra container is not needed.
|
|
||
| if err := s.ContainerStateToDisk(container); err != nil { | ||
| log.Warnf(ctx, "unable to write containers %s state to disk: %v", container.ID(), err) | ||
| if err := s.MonitorConmon(container); err != nil { |
There was a problem hiding this comment.
I noticed the MonitorConmon() call originally on line 638 has been removed.
Do we still want the call here ?
There was a problem hiding this comment.
no we've dropped conmonmon
| namespaces, err := pinFunc(managedNamespaces, cfg, sysctls) | ||
| if err != nil { | ||
| return typesAndPaths, nil | ||
| return typesAndPaths, err |
There was a problem hiding this comment.
Since err is returned, how useful is typesAndPaths ?
There was a problem hiding this comment.
it's not it could be nil
|
|
||
| return 0; | ||
| } | ||
| static int bind_ns(const char *pin_path, const char *ns_name); |
There was a problem hiding this comment.
Current declaration is:
static int bind_ns(const char *pin_path, const char *filename, const char *ns_name);
filename is no longer needed ?
There was a problem hiding this comment.
the way the function works has been changed
|
@haircommander: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
replacing with #3997 |
What type of PR is this?
/kind api-change
What this PR does / why we need it:
a new version of #3076 that adapts the sysctl code from crun and copies it into pinns, as it's the only part of libcrun that is needed. This, along with fixing a remaining port-forward bug, should be the last needed to pass tests while dropping infra container (still lots of more refactoring needed)
Which issue(s) this PR fixes:
Special notes for your reviewer:
Does this PR introduce a user-facing change?