Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[1.19] Add option to drop infra container #4186

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
openshift-merge-robot merged 11 commits into from
Sep 12, 2020
Merged

[1.19] Add option to drop infra container #4186

openshift-merge-robot merged 11 commits into from
Sep 12, 2020

Conversation

@haircommander
Copy link
Member

@haircommander haircommander commented Sep 11, 2020

What type of PR is this?

/kind feature

What this PR does / why we need it:

 Sandbox: Don't use an infra container in some cases

some changes this includes:
- allow for the infra container to not be created by the runtime, if sb.NeedsInfra() is false
- add concept of a 'spoofed' container. This allows us to make calls to ID(), Name(), and Description() without having the runtime create the container
- using spoof, change checks of podInfraContainer == nil to Spoofed(), as well as re-add Description() calls
- reorder some infra container creation code
- add unit tests for NeedsInfra and Spoofed
- add integration test for drop infra
- sysctls are configured in the runtime after the process unshares in the shared namespaces. since we aren't using a runtime, we need to repeat this step.
        - After unsharing, but before binding, configure the sysctls for the namespace.
- spoof container state
- create a new annotations package for cri-o specific annotations that are experimental, and not yet locked in the API
- refactor ContainerRuntimeType to get a runtime type without a container (and call it RuntimeType)

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?

add `--drop-infra-ctr` option to ask CRI-O to drop the infra container when a pod level pid namespace isn't requested. This feature is considered experimental

@haircommander
add --drop-infra-ctr option
b535492 
Signed-off-by: Peter Hunt <[email protected]>
@haircommander
test: add tests for dropping infra
2f327ad 
as well as update existing tests to allow drop_infra_ctr to be true or false by default

Signed-off-by: Peter Hunt <[email protected]>
@haircommander
test: configure self when kata-runtime is the CONTAINER_RUNTIME
c04ce90 
specifically, set RUNTIME_NAME and CONTAINER_DEFAULT_RUNTIME if it's set as such

Signed-off-by: Peter Hunt <[email protected]>
@haircommander
pinns: allow sysctls to be passed
744640b 
sysctls must be passed to pinns of the format -s 'key=value'+'key2=value2'
also, move the pinns source code to `pinns/src` to clean up the top level directory a bit

Signed-off-by: Peter Hunt <[email protected]>
@haircommander
pinns: fix pinning cgroup namespace
311ab68 
as it would otherwise unconditionally have pexit() called

Signed-off-by: Peter Hunt <[email protected]>
@haircommander
portforward: rework to not need infra container
4a4f709 
Signed-off-by: Peter Hunt <[email protected]>
@haircommander
introduce pkg/annotations
b112d4c 
to hold crio specific annotations until they are stable enough to put in containers/common

Signed-off-by: Peter Hunt <[email protected]>
@haircommander
oci: add Spoofed() function
cd1dee3 
as well as a constructor for a spoofed container

a Spoofed() container is one that exists in cri-o's state, but not in the runtime

This allows us to drop the infra, but keep bookkeeping standardized
(for instance, when we restore cri-o, we look at the container's state directory)

Signed-off-by: Peter Hunt <[email protected]>
@haircommander
sandbox: add NeedsInfra function
e48c182 
to allow the sandbox to decide when it needs an infra container

Signed-off-by: Peter Hunt <[email protected]>
@haircommander
server: no longer assume some infra containers will be nil
b281151 
in the initial (very old) implementation of a dropped infra,
infra containers were allowed to be nil

This is no longer the case, so we can remove traces of that old implementation

Signed-off-by: Peter Hunt <[email protected]>
@haircommander
drop infra container when appropriate
984e979 
this commit includes:
- propegate sysctls from pod creation down to pinns
- use the annotations package for userns and spoofed containers
- add restore code for when a container was spoofed
- query a runtime handler based on the string instead of by container
  - this allows us to query the runtime handler before we create the container to allow it to be spoofed
- drop the infra container when the pod is not kernel separated, and when NeedsInfra is false

Signed-off-by: Peter Hunt <[email protected]>
@openshift-ci-robot openshift-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. labels Sep 11, 2020
@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 11, 2020
@haircommander
Copy link
Member Author

haircommander commented Sep 11, 2020

/retest

@codecov
Copy link

codecov bot commented Sep 11, 2020

Codecov Report

Merging #4186 into release-1.19 will decrease coverage by 0.01%.
The diff coverage is 40.64%.

@@               Coverage Diff                @@
##           release-1.19    #4186      +/-   ##
================================================
- Coverage         41.77%   41.76%   -0.02%     
================================================
  Files               110      110              
  Lines              9067     9169     +102     
================================================
+ Hits               3788     3829      +41     
- Misses             4938     4997      +59     
- Partials            341      343       +2

@openshift-ci-robot
Copy link

openshift-ci-robot commented Sep 11, 2020

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: haircommander, mrunalp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:
  • OWNERS [haircommander,mrunalp]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@mrunalp
Copy link
Member

mrunalp commented Sep 11, 2020

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Sep 11, 2020
@haircommander haircommander added release-1.19 lgtm Indicates that a PR is ready to be merged. and removed lgtm Indicates that a PR is ready to be merged. labels Sep 11, 2020
@fidencio
Copy link
Contributor

fidencio commented Sep 11, 2020

/retest

@fidencio
Copy link
Contributor

fidencio commented Sep 12, 2020

/test e2e-aws

@haircommander
Copy link
Member Author

haircommander commented Sep 12, 2020

/retest

@openshift-merge-robot openshift-merge-robot merged commit 55a2b1c into cri-o:release-1.19 Sep 12, 2020
This was referenced Nov 2, 2020
Closed
Merged
@openshift-ci-robot openshift-ci-robot mentioned this pull request Feb 25, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrunalp mrunalp mrunalp approved these changes

@runcom runcom Awaiting requested review from runcom runcom is a code owner

@sameo sameo Awaiting requested review from sameo

@sboeuf sboeuf Awaiting requested review from sboeuf

Assignees

@mrunalp mrunalp

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. lgtm Indicates that a PR is ready to be merged. release-1.19 release-note Denotes a PR that will be considered when it comes time to generate release notes.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@haircommander @openshift-ci-robot @mrunalp @fidencio @openshift-merge-robot