Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Add option to drop infra container #4165

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
openshift-merge-robot merged 11 commits into from
Sep 12, 2020
Merged

Add option to drop infra container #4165

openshift-merge-robot merged 11 commits into from
Sep 12, 2020

Conversation

@haircommander
Copy link
Member

@haircommander haircommander commented Sep 4, 2020
edited
Loading

What type of PR is this?

/kind feature

What this PR does / why we need it:

 Sandbox: Don't use an infra container in some cases

some changes this includes:
- allow for the infra container to not be created by the runtime, if sb.NeedsInfra() is false
- add concept of a 'spoofed' container. This allows us to make calls to ID(), Name(), and Description() without having the runtime create the container
- using spoof, change checks of podInfraContainer == nil to Spoofed(), as well as re-add Description() calls
- reorder some infra container creation code
- add unit tests for NeedsInfra and Spoofed
- add integration test for drop infra
- sysctls are configured in the runtime after the process unshares in the shared namespaces. since we aren't using a runtime, we need to repeat this step.
        - After unsharing, but before binding, configure the sysctls for the namespace.
- spoof container state
- create a new annotations package for cri-o specific annotations that are experimental, and not yet locked in the API
- refactor ContainerRuntimeType to get a runtime type without a container (and call it RuntimeType)

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?

add `--drop-infra-ctr` option to ask CRI-O to drop the infra container when a pod level pid namespace isn't requested. This feature is considered experimental

@openshift-ci-robot openshift-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. labels Sep 4, 2020
@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 4, 2020
@haircommander
Copy link
Member Author

haircommander commented Sep 4, 2020

replaces #3997 (which has grown out of date, and has an extra patch that's not needed)

@haircommander
Copy link
Member Author

haircommander commented Sep 4, 2020

also carries #4146

@haircommander
Copy link
Member Author

haircommander commented Sep 4, 2020

/retest

@haircommander haircommander force-pushed the drop-infra branch 2 times, most recently from 9a0509a to 53c5bd4 Compare September 4, 2020 19:57
@codecov
Copy link

codecov bot commented Sep 4, 2020
edited
Loading

Codecov Report

Merging #4165 into master will decrease coverage by 0.00%.
The diff coverage is 40.95%.

@@            Coverage Diff             @@
##           master    #4165      +/-   ##
==========================================
- Coverage   40.92%   40.91%   -0.01%     
==========================================
  Files         111      111              
  Lines        9512     9614     +102     
==========================================
+ Hits         3893     3934      +41     
- Misses       5242     5301      +59     
- Partials      377      379       +2

@haircommander haircommander force-pushed the drop-infra branch 2 times, most recently from b68bade to 25681e1 Compare September 4, 2020 22:32
@openshift-ci-robot openshift-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Sep 7, 2020
@openshift-ci-robot openshift-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Sep 8, 2020
mrunalp
mrunalp reviewed Sep 8, 2020
View reviewed changes
internal/criocli/criocli.go Outdated
if ctx.IsSet("manage-ns-lifecycle") {
config.ManageNSLifecycle = ctx.Bool("manage-ns-lifecycle")
}
if ctx.IsSet("drop-infra") {
Copy link
Member

@mrunalp mrunalp Sep 8, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wondering if calling this drop-infra-container or drop-infra-ctr is better or leave it as is.

Copy link
Member Author

@haircommander haircommander Sep 8, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah drop-infra-ctr is more clear... I may make that change on next rebase (the only other field in the config that has container or ctr is ctr_stop_timeout so we should keep with ctr imo)

This was referenced Sep 8, 2020
Merged
Closed
@haircommander haircommander force-pushed the drop-infra branch 2 times, most recently from 4145bbc to a3787af Compare September 8, 2020 18:03
@haircommander
Copy link
Member Author

haircommander commented Sep 8, 2020

/retest

mrunalp
mrunalp reviewed Sep 8, 2020
View reviewed changes
internal/criocli/criocli.go Outdated
},
&cli.BoolFlag{
Name: "drop-infra-ctr",
Usage: fmt.Sprintf("determines whether we drop the infra container when appropriate. Requires ManageNSLifecycle to be true (default: %v)", defConf.DropInfraCtr),
Copy link
Member

@mrunalp mrunalp Sep 8, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

instead of when appropriate should we reword to when pod pid namespace is not shared?

Copy link
Member Author

@haircommander haircommander Sep 8, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought it a bit verbose for a cli flag TBH but yeah it would better match the config values

mrunalp
mrunalp reviewed Sep 8, 2020
View reviewed changes
internal/lib/container_server.go Outdated
// on disk
func (c *ContainerServer) ContainerStateToDisk(ctr *oci.Container) error {
if ctr == nil {
if ctr.Spoofed() {
Copy link
Member

@mrunalp mrunalp Sep 8, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need a skip in ContainerStateFromDisk as well?

Copy link
Member Author

@haircommander haircommander Sep 8, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we can for posterity, but the only time it's called is when restoring, in a block where we don't restore if the container used to be spoofed.

mrunalp
mrunalp reviewed Sep 8, 2020
View reviewed changes
mrunalp
mrunalp reviewed Sep 8, 2020
View reviewed changes
internal/lib/sandbox/sandbox.go Outdated
return nil
}

// NeedsInfra is a function that returns whether the sandbox will need an infra container
Copy link
Member

@mrunalp mrunalp Sep 8, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Add sentence with period.

mrunalp
mrunalp reviewed Sep 8, 2020
View reviewed changes
mrunalp
mrunalp reviewed Sep 8, 2020
View reviewed changes
internal/lib/sandbox/sandbox.go Outdated

// NeedsInfra is a function that returns whether the sandbox will need an infra container
// if the server manages the namespace lifecycles, and the Pid option on the sandbox
// is node level, the infra container is not needed
Copy link
Member

@mrunalp mrunalp Sep 8, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

node or container

kolyshkin
kolyshkin reviewed Sep 10, 2020
View reviewed changes
kolyshkin
kolyshkin reviewed Sep 10, 2020
View reviewed changes
kolyshkin
kolyshkin reviewed Sep 10, 2020
View reviewed changes
kolyshkin
kolyshkin reviewed Sep 10, 2020
View reviewed changes
@haircommander
add --drop-infra-ctr option
3978b8c 
Signed-off-by: Peter Hunt <[email protected]>
@haircommander
test: add tests for dropping infra
9e337b0 
as well as update existing tests to allow drop_infra_ctr to be true or false by default

Signed-off-by: Peter Hunt <[email protected]>
@haircommander
Copy link
Member Author

haircommander commented Sep 11, 2020

(most) comments address, thanks for the thorough review @kolyshkin

PTAL @umohnani8 @mrunalp @saschagrunert

@haircommander
test: configure self when kata-runtime is the CONTAINER_RUNTIME
3f655aa 
specifically, set RUNTIME_NAME and CONTAINER_DEFAULT_RUNTIME if it's set as such

Signed-off-by: Peter Hunt <[email protected]>
@haircommander
pinns: allow sysctls to be passed
26de5b6 
sysctls must be passed to pinns of the format -s 'key=value'+'key2=value2'
also, move the pinns source code to `pinns/src` to clean up the top level directory a bit

Signed-off-by: Peter Hunt <[email protected]>
@haircommander
pinns: fix pinning cgroup namespace
3c241bd 
as it would otherwise unconditionally have pexit() called

Signed-off-by: Peter Hunt <[email protected]>
@haircommander
portforward: rework to not need infra container
4ff61bb 
Signed-off-by: Peter Hunt <[email protected]>
@haircommander
introduce pkg/annotations
33de444 
to hold crio specific annotations until they are stable enough to put in containers/common

Signed-off-by: Peter Hunt <[email protected]>
@haircommander
oci: add Spoofed() function
fdab97f 
as well as a constructor for a spoofed container

a Spoofed() container is one that exists in cri-o's state, but not in the runtime

This allows us to drop the infra, but keep bookkeeping standardized
(for instance, when we restore cri-o, we look at the container's state directory)

Signed-off-by: Peter Hunt <[email protected]>
@haircommander
sandbox: add NeedsInfra function
e42b2b1 
to allow the sandbox to decide when it needs an infra container

Signed-off-by: Peter Hunt <[email protected]>
@haircommander
server: no longer assume some infra containers will be nil
25383e7 
in the initial (very old) implementation of a dropped infra,
infra containers were allowed to be nil

This is no longer the case, so we can remove traces of that old implementation

Signed-off-by: Peter Hunt <[email protected]>
@haircommander
drop infra container when appropriate
9afdd35 
this commit includes:
- propegate sysctls from pod creation down to pinns
- use the annotations package for userns and spoofed containers
- add restore code for when a container was spoofed
- query a runtime handler based on the string instead of by container
  - this allows us to query the runtime handler before we create the container to allow it to be spoofed
- drop the infra container when the pod is not kernel separated, and when NeedsInfra is false

Signed-off-by: Peter Hunt <[email protected]>
saschagrunert
saschagrunert approved these changes Sep 11, 2020
View reviewed changes
Copy link
Member

@saschagrunert saschagrunert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just one suggestion around the general behavior, otherwise LGTM

docs/crio.8.md

**--default-ulimits**="": Ulimits to apply to containers by default (name=soft:hard) (default: []) (default: [])

**--drop-infra-ctr**: Determines whether pods are created without an infra container (when the pod is not using a pod level PID namespace). Requires ManageNSLifecycle to be true (default: false)
Copy link
Member

@saschagrunert saschagrunert Sep 11, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest we implicitly set ManageNSLifecycle to true if this toggle switches on.

Copy link
Member Author

@haircommander haircommander Sep 11, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it is more clear (as an experimental feature) that we fail quickly when it's not set. By the time DropInfra is set to true by default, I like to think we won't have ManageNSLifecycle as an option anymore

@openshift-ci-robot
Copy link

openshift-ci-robot commented Sep 11, 2020

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: haircommander, saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:
  • OWNERS [haircommander,saschagrunert]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@haircommander
Copy link
Member Author

haircommander commented Sep 11, 2020

/retest

@mrunalp
Copy link
Member

mrunalp commented Sep 11, 2020

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Sep 11, 2020
@haircommander haircommander changed the title Drop infra container, again again Add option to drop infra container Sep 11, 2020
@haircommander
Copy link
Member Author

haircommander commented Sep 12, 2020

/retest

@openshift-ci-robot
Copy link

openshift-ci-robot commented Sep 12, 2020
edited
Loading

@haircommander: The following tests failed, say /retest to rerun all failed tests:

Test name Commit Details Rerun command
ci/openshift-jenkins/e2e_crun_cgroupv2 9afdd35 link /test e2e_cgroupv2
ci/prow/e2e-aws 9afdd35 link /test e2e-aws

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@openshift-merge-robot openshift-merge-robot merged commit a001e72 into cri-o:master Sep 12, 2020
liubin pushed a commit to liubin/cri-o that referenced this pull request Sep 16, 2020
@openshift-merge-robot @liubin
Merge pull request cri-o#4165 from haircommander/drop-infra
6261ff8 
Add option to drop infra container

Signed-off-by: bin liu <[email protected]>
@haircommander haircommander mentioned this pull request Oct 13, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrunalp mrunalp mrunalp left review comments

@kolyshkin kolyshkin kolyshkin requested changes

@saschagrunert saschagrunert saschagrunert approved these changes

@runcom runcom Awaiting requested review from runcom

@nalind nalind Awaiting requested review from nalind

@rhatdan rhatdan Awaiting requested review from rhatdan

+1 more reviewer

@TomSweeneyRedHat TomSweeneyRedHat TomSweeneyRedHat left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@mrunalp mrunalp

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@haircommander @mrunalp @openshift-ci-robot @saschagrunert @kolyshkin @TomSweeneyRedHat @openshift-merge-robot