containerd: download containerd from upstream instead of using distro specific packages #7970
Conversation
k8s-ci-robot
added
the
kind/feature
|
Hi @cristicalin. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
needs-ok-to-test
k8s-ci-robot
added
cncf-cla: yes
|
Thanks for doing this ! |
|
|
||
| - name: install container-selinux | ||
| package: | ||
| name: container-selinux |
There was a problem hiding this comment.
Is it still necessary to install libseccomp/libseccomp2 for yum/apt 🤔
There was a problem hiding this comment.
container-selinux is not libsecomp, it is a bunch of selinux modules built for generic container hosts and is needed in case selinux is enabled.
There was a problem hiding this comment.
Actually I think you were right, about ensuring libseccomp is present, but this is separate from the need to have container-selinux present and is not required by container-selinux so I added it to containerd-common to ensure it gets installed properly.
| - containerd-shim | ||
| - containerd-shim-runc-v1 | ||
| - containerd-shim-runc-v2 | ||
| - ctr |
There was a problem hiding this comment.
Missed {{ containerd_bin_dir }}/runc
There was a problem hiding this comment.
This may actually need to be changed to make molecule tests happy about the idempotency of the download/unarchive tasks.
There was a problem hiding this comment.
Latest changes properly puts runc under it's own location.
cristicalin
force-pushed
the
containerd_download
branch
2 times, most recently
from
a61be2f to
0fe587b
Compare
k8s-ci-robot
added
size/XL
cristicalin
force-pushed
the
containerd_download
branch
5 times, most recently
from
d0c5b34 to
e5bd220
Compare
|
/cc @floryut , this necessarily reverts work you did on #7972 since we no longer rely on distro specific versions, to keep compatibility with the old code I can also add the old hashes for the previous containerd versions but that would go against our policy to keep just one major version (i.e. 1.4.9 and 1.5.5 as of this writing). |
There was a problem hiding this comment.
Thanks again for doing that !
Can you confirm we are using the same path as before ? I think this is important for selinux/apparmor to work out of the box.
Have you checked the containerd.service match what was in the deb/rpm ?
Also this removes support for arm64 for now, need to mention that in the release notes
| - name: containerd-common | install container-selinux | ||
| package: | ||
| name: container-selinux | ||
| state: latest |
There was a problem hiding this comment.
This has moved around in the latest change but uses present instead of latest
| name: container-selinux | ||
| state: latest | ||
| when: | ||
| - preinstall_selinux_state != 'disabled' |
There was a problem hiding this comment.
I think we should always install it (this is what was done), and we could even move it to the OS prepare steps
There was a problem hiding this comment.
I moved this part to bootstrap-os as suggested.
|
|
||
| - name: containerd-common | install libseccomp | ||
| package: | ||
| name: "{{ seccomp_package }}" |
There was a problem hiding this comment.
Same thing, should we just move that to OS prepare steps ?
There was a problem hiding this comment.
Same as above, the logic was moves to bootstrap-os.
| name: "{{ containerd_package }}" | ||
| state: absent | ||
| when: | ||
| - not is_ostree |
There was a problem hiding this comment.
We should also remove the repos
There was a problem hiding this comment.
Moved this part back to the containerd role since containerd-common is also referenced by the docker role. That change also cleans up the repos.
| state: absent | ||
| register: services_removed | ||
| tags: | ||
| - services |
There was a problem hiding this comment.
we should also remove the repos here I think
There was a problem hiding this comment.
I would do this in a separate PR to inventory all repos we deploy on all supported distributions and add a clean task to the reset role.
Yes, this is why I switched back and forth between using the
I just checked it now, initially I copied the one upstream was bundling in the
Fair point, but we would need to ask upstream to build release binaries for arm64. Is noting this in the release notes enough? Do we have the capability to actually trigger CI jobs on arm64 to actually maintain this? |
way ahead of you :) containerd/containerd#5524 |
cristicalin
force-pushed
the
containerd_download
branch
8 times, most recently
from
bbe4d17 to
bb3f164
Compare
k8s-ci-robot
removed
the
needs-rebase
|
Rebased to fix merge conflict. |
k8s-ci-robot
added
the
needs-rebase
cristicalin
force-pushed
the
containerd_download
branch
from
03d0ba1 to
7b0f408
Compare
k8s-ci-robot
removed
the
needs-rebase
| name: "{{ item }}" | ||
| state: present | ||
| become: true | ||
| with_items: | ||
| - container-selinux | ||
| - libseccomp |
There was a problem hiding this comment.
you already edited required_pkgs so this should not be needed ?
There was a problem hiding this comment.
Hmm, good catch, I'll remove this piece.
There was a problem hiding this comment.
This part was removed.
roles/download/defaults/main.yml
Outdated
| 1.5.5: 0 | ||
| amd64: | ||
| 1.4.3: 0 # to make debian9 jobs happy | ||
| 1.4.6: 0 # to make ubuntu16 jobs happy |
There was a problem hiding this comment.
debian9 and ubuntu16 could switch to 1.5.5 now no ?
There was a problem hiding this comment.
If deploying with container_engine=containerd this would not be needed, but when deploying with container_engine=docker the older versions of docker supported on those platforms bring in dependencies for older containerd and would break the CI runs due to the way the download role does variable interpolation.
We could also add latest instead of the specific versions and set containerd_version=latest in the debian9 and ubuntu16 jobs.
There was a problem hiding this comment.
I just pushed a change with using latest instead of specific versions, at least this keeps the code a bit cleaner.
Let's see if the CI gods agree.
cristicalin
force-pushed
the
containerd_download
branch
3 times, most recently
from
b6354f8 to
a26d78e
Compare
k8s-ci-robot
added
the
needs-rebase
cristicalin
force-pushed
the
containerd_download
branch
from
a26d78e to
d124df4
Compare
k8s-ci-robot
removed
the
needs-rebase
… specific packages split runc download to separate role make bootstrap-os role deploy container-selinux and seccomp libraries clean up package manager provided containerd move variables to docker role that are no longer common with containerd
* replace ubuntu18 with ubuntu20 * add centos8 and debian11 to molecule tests * run kubernetes/preinstall role to ensure relevancy of test including dependency packages
cristicalin
force-pushed
the
containerd_download
branch
from
d124df4 to
6edda60
Compare
|
/lgtm |
k8s-ci-robot
added
the
lgtm
floryut
added
kind/network
… specific packages (kubernetes-sigs#7970) * Containerd: download containerd from upstream instead of using distro specific packages split runc download to separate role make bootstrap-os role deploy container-selinux and seccomp libraries clean up package manager provided containerd move variables to docker role that are no longer common with containerd * Containerd: make molecule testing more relevant * replace ubuntu18 with ubuntu20 * add centos8 and debian11 to molecule tests * run kubernetes/preinstall role to ensure relevancy of test including dependency packages * CI: adjust test scenarios for downloaded containerd
… specific packages (kubernetes-sigs#7970) * Containerd: download containerd from upstream instead of using distro specific packages split runc download to separate role make bootstrap-os role deploy container-selinux and seccomp libraries clean up package manager provided containerd move variables to docker role that are no longer common with containerd * Containerd: make molecule testing more relevant * replace ubuntu18 with ubuntu20 * add centos8 and debian11 to molecule tests * run kubernetes/preinstall role to ensure relevancy of test including dependency packages * CI: adjust test scenarios for downloaded containerd
What type of PR is this?
/kind feature
What this PR does / why we need it:
This PR changes the way we deploy the containerd container runtime to download it directly from github or a local repository. This enables uniformity between supported distributions and eliminates version discrepancies between distros. Additionally this allows air-gaped deployments without the need for a docker repo mirror.
Which issue(s) this PR fixes:
Fixes #7941
Special notes for your reviewer:
Does this PR introduce a user-facing change?: