Support containerd 1.7 #297
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
github-actions
bot
added
the
tide/merge-method-squash
k8s-ci-robot
added
the
size/S
Mik4sa
force-pushed
the
containerd-1.7-support
branch
from
17b7e22
to
aa4253c
Compare
I don't think the It feels like something else is going on here? does the |
It might be that the working directory changed between containerd v1.6 and v1.7 too. |
|
That was my expectation, was the Working dir changed. I am surprised that change the folder name is making a difference here. |
Mik4sa
force-pushed
the
containerd-1.7-support
branch
from
aa4253c
to
3ab5b19
Compare
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: marosset, Mik4sa The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
@marosset What is missing here so this gets the lgtm label/gets merged? |
| ls $env:CONTAINER_SANDBOX_MOUNT_POINT/etc/kube-flannel/ | ||
| cp -force $env:CONTAINER_SANDBOX_MOUNT_POINT/etc/kube-flannel/net-conf.json C:\etc\kube-flannel\net-conf.json | ||
| ls $env:CONTAINER_SANDBOX_MOUNT_POINT/mounts/kube-flannel/ | ||
| cp -force $env:CONTAINER_SANDBOX_MOUNT_POINT/mounts/kube-flannel/net-conf.json C:\etc\kube-flannel\net-conf.json |
There was a problem hiding this comment.
What is the value of CONTAINER_SANDBOX_MOUNT_POINT in this script with 1.7? I am guessing we are getting the error cp : Access to the path 'C:\etc\kube-flannel\net-conf.json' is denied because we are trying to copy from the wrong place. If CONTAINER_SANDBOX_MOUNT_POINT is not set then we would be trying to copy from c:/etc/kube-flannel/net-conf.json which isn't created yet (we are trying to do that now...).
There was a problem hiding this comment.
Afaik 'C:/hpc' but I can't verify before wednesday/thursday
There was a problem hiding this comment.
What is the value of
CONTAINER_SANDBOX_MOUNT_POINTin this script with 1.7?
It's C:\hpc\. Just verified.
I am guessing we are getting the error
cp : Access to the path 'C:\etc\kube-flannel\net-conf.json' is deniedbecause we are trying to copy from the wrong place.
I manually entered into the flannel pod and executed the commands one by one and made some other testing.
The source doesn't seem to be problematic. I'm able to copy it to a different folder. This for example works (after creating the target directory):
cp -force $env:CONTAINER_SANDBOX_MOUNT_POINT/etc/kube-flannel/net-conf.json C:\test\
But when I for example try to delete the target file with this command:
Remove-Item C:\etc\kube-flannel\net-conf.json
I get the following error:
Remove-Item : Cannot remove item C:\etc\kube-flannel\net-conf.json: Access to the path 'C:\etc\kube-flannel\net-conf.json' is denied.
At line:1 char:1
+ Remove-Item C:\etc\kube-flannel\net-conf.json
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (C:\etc\kube-flannel\net-conf.json:FileInfo) [Remove-Item], UnauthorizedAccessException
+ FullyQualifiedErrorId : RemoveFileSystemItemUnAuthorizedAccess,Microsoft.PowerShell.Commands.RemoveItemCommand
This is because the configmap kube-flannel-cfg is mounted into this place (readonly). I verified that by editing the configmap first and then checking the content inside of the container:
PS C:\> cat C:\etc\kube-flannel\net-conf.json
{
"Network": "10.244.0.0/16",
"Backend": {
"Type": "vxlan"
}
"Some falsy value..."
}
And this is the target directory structure:
PS C:\> ls C:\etc\kube-flannel\
Directory: C:\etc\kube-flannel
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 5/12/2023 2:54 PM ..2023_05_12_14_54_31.2595385805
d----l 5/12/2023 2:54 PM ..data
-a---l 5/12/2023 2:54 PM 0 cni-conf.json
-a---l 5/12/2023 2:54 PM 0 net-conf.json
There was a problem hiding this comment.
Ah, I yes this has to do with the behavioral change with mounts in containerd 1.7 (which I think you already said. Thanks for bearing with me! 😄).
Additional volume mounts specified for hostProcess containers will be mounted at their requested location and can be access the same way as volume mounts in Linux or regular Windows Server containers.
ex: a volume with a mountPath of /var/run/secrets/token for containers will be mounted at c:\var\run\secrets\token for containers.
|
/lgtm |
k8s-ci-robot
added
the
lgtm
Reason for PR:
The
kube-flannelandkube-proxypods were failing/crashing with containerd 1.7.0. This was because of the usage ofbind volumeinstead ofsymlink volume(see here).This problem was first mentioned in #289 and here: #277 (comment)
For details check this comment: #277 (comment)
Issue Fixed:
Fixes #289
Requirements
Notes:
I decided to move the mounts to
/mounts/...instead of directly mounting them to the root because of two reasons:/kube-proxy/mounts/...maybe better communicates that these are actual mounts which was really hard for me to understand due to the behavior of hostprocess containers.