Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update containerd to v2.0.1 #3828

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

AkihiroSuda
Copy link
Member

@AkihiroSuda AkihiroSuda commented Dec 20, 2024

Fix #3768

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Dec 20, 2024
@k8s-ci-robot k8s-ci-robot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Dec 20, 2024
@AkihiroSuda
Copy link
Member Author

/retest

@stmcginnis
Copy link
Contributor

I plan on doing some more local testing, but this looks good to me and CI is happy.

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Dec 20, 2024
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Dec 20, 2024
@@ -82,7 +83,9 @@ func LoadImageArchive(n nodes.Node, image io.Reader) error {
if err != nil {
return err
}
cmd := n.Command("ctr", "--namespace=k8s.io", "images", "import", "--all-platforms", "--digests", "--snapshotter="+snapshotter, "-").SetStdin(image)
// --local=true: Disables the Transfer API mode that is enabled by default since containerd v2.0.
// Workaround for `ctr: rpc error: code = InvalidArgument desc = unable to initialize unpacker: no unpack platforms defined: invalid argument`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We probably need a long term solution for this?

Copy link
Member

@BenTheElder BenTheElder Jan 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also: #3805 (Attempts to set --local=false instead of --local=true to resolve a different problem)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you!

}
var snapshotter string
switch configVersion {
case 2: // Introduced in containerd v1.3. Still supported in containerd v2.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we probably need to allow user supplied config patches to similarly target 2 vs 3 separately, though that doesn't need to be done in this PR

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we depend on the version of the config?

if len(ctx.Config.ContainerdConfigPatches) > 0 || len(ctx.Config.ContainerdConfigPatchesJSON6902) > 0 {
fns := make([]func() error, len(kubeNodes))
for i, node := range kubeNodes {
node := node // capture loop variable
fns[i] = func() error {
// read and patch the config
const containerdConfigPath = "/etc/containerd/config.toml"
var buff bytes.Buffer
if err := node.Command("cat", containerdConfigPath).SetStdout(&buff).Run(); err != nil {
return errors.Wrap(err, "failed to read containerd config from node")
}
patched, err := patch.TOML(buff.String(), ctx.Config.ContainerdConfigPatches, ctx.Config.ContainerdConfigPatchesJSON6902)
if err != nil {
return errors.Wrap(err, "failed to patch containerd config")
}
if err := nodeutils.WriteFile(node, containerdConfigPath, patched); err != nil {
return errors.Wrap(err, "failed to write patched containerd config")
}
// restart containerd now that we've re-configured it
// skip if containerd is not running
if err := node.Command("bash", "-c", `! pgrep --exact containerd || systemctl restart containerd`).Run(); err != nil {
return errors.Wrap(err, "failed to restart containerd after patching config")
}
return nil
}
}
if err := errors.UntilErrorConcurrent(fns); err != nil {
return err

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we depend on the version of the config?

user's patches will not work as intended, they will wind up merging in keys that are not valid for v3 because all the keys have new namespacing again.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(and if they simply switch to v3 keys, it will not work with older kind images)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah, so you refer to the "existing" user patches, I think is a matter of how you see it then ... for me those are containerd specific patches, and yes, users need to adapt them to containerd 2.0 unless there is some containerd feature that allows to migrate between formats

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

for me those are containerd specific patches, and yes, users need to adapt them to containerd 2.0 unless there is some containerd feature that allows to migrate between formats

But then their config won't work for older kind releases/images.

The way we do this with kubeadm config patches is you can have multiple patches that are targeting different kubeadm API versions. So far that's been irrelevant because for nearly all of our history we've only had containerd 2.0 config.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But actually, that is for a future PR, because in this PR we're still using a v2.0 config (images/base/files/etc/containerd/config.toml), this part of the diff seems to be technically unecessary for now.

Copy link
Contributor

@aojea aojea Jan 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see, I got it now, so we keep using containerd 2.0 version for the config and let containerd deal with the translation internall to version 3 https://github.com/containerd/containerd/blob/main/docs/cri/config.md#config-versions

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, before we switch our config to v3 we should give users a way to deal with it smoothly, but we're not actually switching to v3 in this PR, even though this PR adds partial support for v3.

@aojea
Copy link
Contributor

aojea commented Jan 7, 2025

/lgtm

I'm positively surprised the diff is so small ... IIRC we already had issues with ctr and storage formats in the past

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 7, 2025
@BenTheElder
Copy link
Member

I'm positively surprised the diff is so small ... IIRC we already had issues with ctr and storage formats in the past

I don't think this addresses all of the issues, and since CRI only has v1 and not v1alpha2 in containerd v2, we break kubernetes < 1.26 (which is probably OK, but worth noting, we have not actively broken an old k8s version for some time now).

@AkihiroSuda
Copy link
Member Author

since CRI only has v1 and not v1alpha2 in containerd v2, we break kubernetes < 1.26

CRI v1 seems introduced in Kubernetes 1.20: kubernetes/kubernetes@9fcede9

@aojea
Copy link
Contributor

aojea commented Jan 7, 2025

and since CRI only has v1 and not v1alpha2 in containerd v2, we break kubernetes < 1.26 (which is probably OK, but worth noting, we have not actively broken an old k8s version for some time now).

v1 was added in 1.20 kubernetes/kubernetes#96387
it was made default in 1.23 kubernetes/kubernetes#106501
In 1.26 v1alpha2 was dropped kubernetes/kubernetes#110618, but we should support until 1.20 IIUIC

@BenTheElder
Copy link
Member

CRI v1 seems introduced in Kubernetes 1.20: kubernetes/kubernetes@9fcede9

ACK, definitely no problem with that.

We will still need to make sure to note this for the release, and we should consider if this is sufficient excuse to drop other < 1.20 bits from the project. We've been very lenient about dropping support outright so far.

And re: other parts: #3828 (comment)

@BenTheElder
Copy link
Member

BenTheElder commented Jan 7, 2025

At some point <1.19 will be widely unusable because of cgroups v2 anyhow.

Fix issue 3768

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 8, 2025
@k8s-ci-robot
Copy link
Contributor

New changes are detected. LGTM label has been removed.

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: AkihiroSuda
Once this PR has been reviewed and has the lgtm label, please ask for approval from aojea. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jan 8, 2025
@k8s-ci-robot
Copy link
Contributor

@AkihiroSuda: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-kind-conformance-parallel-ipv6 ccd6c2a link true /test pull-kind-conformance-parallel-ipv6
pull-kind-e2e-kubernetes-1-28 ccd6c2a link true /test pull-kind-e2e-kubernetes-1-28

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@@ -55,7 +55,8 @@ func (c *containerdImporter) Pull(image, platform string) error {
func (c *containerdImporter) LoadCommand() exec.Cmd {
return c.containerCmder.Command(
// TODO: ideally we do not need this in the future. we have fixed at least one image
"ctr", "--namespace=k8s.io", "images", "import", "--label=io.cri-containerd.pinned=pinned", "--all-platforms", "--no-unpack", "--digests", "-",
// --local=true: see the comment in pkg/cluster/nodeutils/util.go
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we set --no-unpack, isn't the issue in the other location with unpacking?

@AkihiroSuda AkihiroSuda marked this pull request as draft January 10, 2025 00:31
@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Containerd 2.0 support
5 participants