Compatibility with Windows

[kagoesy]

May I know does Kured support Windows node? If so, any requirement for the Kubernetes version and Kured version?

[atighineanu]

@kagoesy, Kured is written for linux (POSIX compliant) operating systems, because it uses /var/run/reboot-required file to trigger a reboot on a node. Since the filesystem of Windows is different - it will not work on such a node, unless you create a fake /var/run/reboot-required pointing to a C:...\Temp\reboot-required file.
This feature, however, sounds interesting and might be discussed.
@dholbach, what do you think? I may try to add this feature, but it were nicer if I heard your feedback and we could discuss some details.

[dholbach]

@jackfrancis Do you have some feedback for this question?

[jackfrancis]

I know @marosset has been experimenting with some ways to standardize a Windows interface that we can incorporate into kured. As @atighineanu points out, there's not a simple 1:1 translation of the POSIX standard that Linux distros use.

[marosset]

Yes, I have been experimenting with Windows support in some my spare time.
At a minimum Windows support will require Host Process Containers support which was added as alpha in K8s v1.22 and will hopefully go to beta in v1.23.
Host Process Containers are similar to privliged containers for Linux.

I did some exploratory work and here are some findings.
There are a few 'well known' registry keys users can query to see if there is a pending reboot for the system. These registry keys only get cleared by the servicing stack IF the servicing stack took action. If these keys are set manually and then the machine is rebooted the keys stay set.

My thoughts are that on Windows we could do something like this:

• Create a powershell script that runs as the reboot check which would
  • Query the well known registry keys and if the machine is indicating that a reboot is required. If a reboot is required write a /var/run/reboot-required sentinel file
  • Check if /var/run/reboot-required sentinel file exists and if so indicate that machine needs to be rebooted.
• Use an init container or something to register a scheduled task to run on machine startup that would delete /var/run/reboot-required.

This approach would allow for detection of reboots from both Windows updates / servicing events (by checking reg keys) and generic workloads (by writing a sentinel file).

I'm curious what everyone thinks here.

[jackfrancis]

Thanks @marosset!

Based on the above I think we would benefit from two standards:

1. The filepath of the sentinel file
2. The "run on every bootup" thing that always deletes the standardized sentinel file

• we might want a sponsor to publish a well-known container that does the above (perhaps following the patter of the standard pause container"

Do we know that a reboot gesture will always be equivalent to "the service stack took action"? I'm thinking, if we have a thing that continuously looks for these registry keys and then cretes the sentinel file once it exists, if a reboot doesn't have the result of clearing the registry key, we will enter into a "reboot loop".

[marosset]

Do we know that a reboot gesture will always be equivalent to "the service stack took action"? I'm thinking, if we have a thing that continuously looks for these registry keys and then cretes the sentinel file once it exists, if a reboot doesn't have the result of clearing the registry key, we will enter into a "reboot loop".

Unless there is an issue applying the updates across the reboot it is safe to assume that the registry keys will be cleared.
These registry keys are documented and also control the prompts exposed to users indicating that there is a pending update so please reboot your machine.

[jackfrancis]

Great, thanks.

How should we go about standardizing the location a Windows sentinel file that is equivalent to /var/run/reboot-required? As this is not Kubernetes-specific, it might not seem that SIG-Windows is the best place for that. However, if we can standardize this first within the Kubernetes ecosystem perhaps that may prove to be generally useful and it can be RFC'ified in some way going forward?

[marosset]

After there is a PoC / agreement in kured on the overall design on how we want this to work for Windows we can bring this up at one of the SIG-Windows community meetings for feedback on specifics like file names?

[marosset]

I have a PoC at #460 - please take a look!

[github-actions]

This issue was automatically considered stale due to lack of activity. Please update it and/or join our slack channels to promote it, before it automatically closes (in 7 days).

[davhdavh]

we might want a sponsor to publish a well-known container that does the above (perhaps following the patter of the standard pause container"

mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image:v1.0.0@sha256:b4c9637e032f667c52d1eccfa31ad8c63f1b035e8639f3f48a510536bf34032b

with a volume mount to a configmap/secret with a ps1 file is enough for host-process on all windows versions.

ie.

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: blabla
spec:
  selector:
    matchLabels:
      k8s-app: blabla
  updateStrategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 1
  template:
    metadata:
      labels:
        k8s-app: blabla
    spec:
      serviceAccountName: blabla
      securityContext:
        windowsOptions:
          hostProcess: true
          runAsUserName: "NT AUTHORITY\\system"
      hostNetwork: true
      volumes:
      - name: myconfigmap
        configMap:
          name: myconfigmap
      containers:
      - name: kube-proxy
        # Update VERSION to match your Windows server version.
        image: mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image:v1.0.0@sha256:b4c9637e032f667c52d1eccfa31ad8c63f1b035e8639f3f48a510536bf34032b
        command:
          - powershell
          - -c
          - ./myfolder/run.ps1
        volumeMounts:
        - name: myconfigmap
          mountPath: /myfolder/run.ps1
          subPath: run.ps1
      nodeSelector:
        kubernetes.io/os: windows
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: myconfigmap
data:
  run.ps1: |
        Write-Host "running on host"

[davhdavh]

How should we go about standardizing the location a Windows sentinel file that is equivalent to /var/run/reboot-required

The equivalent seems to be

if((Get-Item "HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired" -ErrorAction SilentlyContinue).Property -Or (Get-Item "HKLM:Software\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending" -ErrorAction SilentlyContinue).Property) {
  write-output "reboot pending"
}

There is a few more reg entries that deals with windows file system renames and domain etc, but I dont think they are relevant for kured.

See https://github.com/dotnet/sdk/blob/0847ed4847516935861fe4b02b4794430a50b4d7/src/Cli/dotnet/Installer/Windows/WindowsUtils.cs#L56 (MIT licensed)