-
Notifications
You must be signed in to change notification settings - Fork 717
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
default the "cgroupDriver" setting of the kubelet to "systemd" #2376
Comments
@BenTheElder (kind) @afbjorklund (minikube) @randomvariable @fabriziopandini (cluster api) |
@floryut (kubespray) |
kubespray force the configuration I think, for docker it's systemd, and for containerd it's still cgroupfs but should change soon |
ping @saschagrunert for crio feedback |
i've noticed we are missing the this is something i can update this cycle (but would prefer if someone more familiar with cri-o does this). |
the docs say that you should use systemd as the driver, if your system is using systemd...
the emphasis is on that you shouldn't have different drivers, not that you must use systemd ?
minikube does some detection of what the host is using, and sets
however, for the supported OS distribution (VM) the default has been changed to systemd
I think the vocal minority that does not use systemd could get upset about the runtime default changing... But as far as I know, Kubernetes has recommended changing the Docker default driver for a long time ? |
the cri-o default changed in version 1.18, so most users would have systemd (by default) but it would be good to have it documented, since cgroupfs was the default for cri-o 1.17 |
that is true, of course. but the official kubelet package uses systemd to manage the kubelet. |
thanks for the details on minikube
indeed, we have explained to users that they should use the "systemd" driver for a number of releases (outside of the support skew). |
@neolit123 @afbjorklund I can give the CRI-O docs an update this cycle and mention the driver. 👍 |
thanks @saschagrunert |
so Is there any docs for containerd change default cgroup driver to systemd? @champtar |
There is no doc at the moment, but we plan to default containerd (as the CR) in the next kubespray release, and while we do that we plan to move the cgroup driver to systemd. |
i think there must be a common method to check cri cgroup driver, so during kubeadm init , if kubeletconfig. groupDirver is blank, we check the cri cgroup driver by the commom method. this checking is default by using docker now ? but missing for container/cri-o? |
It was discussed in |
this is currently not possible. some time ago, someone invested a lot of time investigating how to place cgroup driver detection inside the kublet for all container runtimes but it never happened. |
@neolit123 I have some concern about changing the default mostly for upgrade workflow: In the case of kubeadm upgrades (in-place upgrades): In the case of Cluster API (immutable upgrades), this requires documentation/coordination with the users, unless this happens by default in CAPBK; also AFAIK currently it is not possible to change the KubeletConfiguration (see kubernetes-sigs/cluster-api#1584), so are we still relying on ExtraArgs, which is not ideal. |
We had some "interesting" issues in minikube, that turned out to be Docker configuration (or handling): $ sudo systemctl stop docker.socket
$ docker info --format {{.CgroupDriver}}
panic: reflect: indirection through nil pointer to embedded struct [recovered]
panic: reflect: indirection through nil pointer to embedded struct The moral of the story is to always check the docker daemon status, before trying to look at server details... |
this will not be a problem for the kubeadm mutable upgrades as kubeadm no longer upgrades the KubeletConfiguration (part of Rosti's work). so the shared KubeletConfiguration for all nodes will remain on "cgroupfs" if the user did not set it.
if both image builder set the CR to "systemd" and kubeadm sets KubeletConfiguration to "systemd" (by default) and assuming that image-builder produces images strictly targeting a k8s version this will not be a problem. the --cgroup-driver flag doesn't have to be set via image builder or CAPBK doesn't have to pass this via KubeletConfiguration. with all kubelet flags being removed this will hit the users. |
this seems like something that can be avoided even if the server is not running. |
Indeed, but haven't opened a bug with docker (or moby?) yet. Still happens, though. |
I don't think that kubeadm should be modifying the configuration for the container runtime. It looks like output from running {
"status": {
"conditions": [
{
"type": "RuntimeReady",
"status": true,
"reason": "",
"message": ""
},
{
"type": "NetworkReady",
"status": true,
"reason": "",
"message": ""
}
]
},
"cniconfig": {
"PluginDirs": [
"/opt/cni/bin"
],
"PluginConfDir": "/etc/cni/net.d",
"PluginMaxConfNum": 1,
"Prefix": "eth",
"Networks": [
{
"Config": {
"Name": "cni-loopback",
"CNIVersion": "0.3.1",
"Plugins": [
{
"Network": {
"type": "loopback",
"ipam": {},
"dns": {}
},
"Source": "{\"type\":\"loopback\"}"
}
],
"Source": "{\n\"cniVersion\": \"0.3.1\",\n\"name\": \"cni-loopback\",\n\"plugins\": [{\n \"type\": \"loopback\"\n}]\n}"
},
"IFName": "lo"
},
{
"Config": {
"Name": "multus-cni-network",
"CNIVersion": "0.3.1",
"Plugins": [
{
"Network": {
"cniVersion": "0.3.1",
"name": "multus-cni-network",
"type": "multus",
"ipam": {},
"dns": {}
},
"Source": "{\"cniVersion\":\"0.3.1\",\"delegates\":[{\"cniVersion\":\"0.3.1\",\"name\":\"kindnet\",\"plugins\":[{\"ipMasq\":false,\"ipam\":{\"dataDir\":\"/run/cni-ipam-state\",\"ranges\":[[{\"subnet\":\"10.244.0.0/24\"}]],\"routes\":[{\"dst\":\"0.0.0.0/0\"}],\"type\":\"host-local\"},\"mtu\":1500,\"type\":\"ptp\"},{\"capabilities\":{\"portMappings\":true},\"type\":\"portmap\"}]}],\"kubeconfig\":\"/etc/cni/net.d/multus.d/multus.kubeconfig\",\"name\":\"multus-cni-network\",\"type\":\"multus\"}"
}
],
"Source": "{\"cniVersion\":\"0.3.1\",\"name\":\"multus-cni-network\",\"plugins\":[{\"cniVersion\":\"0.3.1\",\"delegates\":[{\"cniVersion\":\"0.3.1\",\"name\":\"kindnet\",\"plugins\":[{\"ipMasq\":false,\"ipam\":{\"dataDir\":\"/run/cni-ipam-state\",\"ranges\":[[{\"subnet\":\"10.244.0.0/24\"}]],\"routes\":[{\"dst\":\"0.0.0.0/0\"}],\"type\":\"host-local\"},\"mtu\":1500,\"type\":\"ptp\"},{\"capabilities\":{\"portMappings\":true},\"type\":\"portmap\"}]}],\"kubeconfig\":\"/etc/cni/net.d/multus.d/multus.kubeconfig\",\"name\":\"multus-cni-network\",\"type\":\"multus\"}]}"
},
"IFName": "eth0"
}
]
},
"config": {
"containerd": {
"snapshotter": "overlayfs",
"defaultRuntimeName": "runc",
"defaultRuntime": {
"runtimeType": "",
"runtimeEngine": "",
"PodAnnotations": null,
"ContainerAnnotations": null,
"runtimeRoot": "",
"options": null,
"privileged_without_host_devices": false,
"baseRuntimeSpec": ""
},
"untrustedWorkloadRuntime": {
"runtimeType": "",
"runtimeEngine": "",
"PodAnnotations": null,
"ContainerAnnotations": null,
"runtimeRoot": "",
"options": null,
"privileged_without_host_devices": false,
"baseRuntimeSpec": ""
},
"runtimes": {
"runc": {
"runtimeType": "io.containerd.runc.v2",
"runtimeEngine": "",
"PodAnnotations": null,
"ContainerAnnotations": null,
"runtimeRoot": "",
"options": null,
"privileged_without_host_devices": false,
"baseRuntimeSpec": ""
},
"test-handler": {
"runtimeType": "io.containerd.runc.v2",
"runtimeEngine": "",
"PodAnnotations": null,
"ContainerAnnotations": null,
"runtimeRoot": "",
"options": null,
"privileged_without_host_devices": false,
"baseRuntimeSpec": ""
}
},
"noPivot": false,
"disableSnapshotAnnotations": false,
"discardUnpackedLayers": false
},
"cni": {
"binDir": "/opt/cni/bin",
"confDir": "/etc/cni/net.d",
"maxConfNum": 1,
"confTemplate": ""
},
"registry": {
"mirrors": {
"docker.io": {
"endpoint": [
"https://registry-1.docker.io"
]
}
},
"configs": null,
"auths": null,
"headers": null
},
"imageDecryption": {
"keyModel": ""
},
"disableTCPService": true,
"streamServerAddress": "127.0.0.1",
"streamServerPort": "0",
"streamIdleTimeout": "4h0m0s",
"enableSelinux": false,
"selinuxCategoryRange": 1024,
"sandboxImage": "k8s.gcr.io/pause:3.3",
"statsCollectPeriod": 10,
"systemdCgroup": false,
"enableTLSStreaming": false,
"x509KeyPairStreaming": {
"tlsCertFile": "",
"tlsKeyFile": ""
},
"maxContainerLogSize": 16384,
"disableCgroup": false,
"disableApparmor": false,
"restrictOOMScoreAdj": false,
"maxConcurrentDownloads": 3,
"disableProcMount": false,
"unsetSeccompProfile": "",
"tolerateMissingHugetlbController": true,
"disableHugetlbController": true,
"ignoreImageDefinedVolumes": false,
"containerdRootDir": "/var/lib/containerd",
"containerdEndpoint": "/run/containerd/containerd.sock",
"rootDir": "/var/lib/containerd/io.containerd.grpc.v1.cri",
"stateDir": "/run/containerd/io.containerd.grpc.v1.cri"
},
"golang": "go1.13.15",
"lastCNILoadStatus": "OK"
} |
i saw no objections to the kubeadm change so i will send a WIP PR for this today to get some feedback. |
i've sent the PR for moving to systemd in kubeadm 1.21: |
cc @xphoniex @fcolista @oz123 for feedback on Alpine / OpenRC.
alternatively in the pending PR change we could only apply the "systemd" driver if the systemd init system is used. |
/cc |
I can't speak for alpine. However, I am fine if this can be changed with a configuration (as this is the case). |
after some discussion on the PR the latest proposal is the following:
i have plans to write a small guide on how users can migrate to the "systemd" driver and this guide will be linked from https://kubernetes.io/docs/setup/production-environment/container-runtimes/ users that don't wish to migrate can be explicit and set "cgroupfs" as their driver, which means "upgrade" will not touch their setup in this regard. |
website guide PR: kubernetes/website#26786 |
added a new item for 1.22 to pin the cgroup drivers in kinder to "systemd", see this in the OP:
|
/assign |
kind switched in https://github.com/kubernetes-sigs/kind/releases/tag/v0.13.0, but delayed to Kubernetes v1.24.0+ (to minimize breaking change to our users) |
As kubernetes/enhancements#4034 is in the discussion, kubeadm may not set the default value if kubelet can detect and set the cgroup driver using CRI to get container runtime cgroup driver status. After that KEP is merged, we may need a new issue to track it. (The KEP is not merged and not implemented yet, so it is still in process.) |
the kubelet from the official k8s package is run using systemd (as the serv manager) and kubeadm depends on this assumption.
the drivers between the kubelet and the runtime should match and if the kubelet is run using systemd the driver should be "systemd":
https://kubernetes.io/docs/setup/production-environment/container-runtimes/
for Docker there is auto-detection of cgroup drivers, which we may move to be on the side of dockershim:
kubernetes/kubernetes#97764 (comment)
for runtimes other than Docker, currently kubeadm does not auto-detect or set the value.
this ticket is about the proposal to default KubeletConfiguration that kubeadm generates to the "systemd" driver unless the user is explicit about it - e.g.:
the container runtime docs already instruct users to use the
systemd
driver:https://kubernetes.io/docs/setup/production-environment/container-runtimes/
but the above will be a breaking change to users that are not configuring their CR to
systemd
and not matching that for the kubelet.opening this ticket to gather feedback from users and higher level tools.
chat in the #kind channel from today:
https://kubernetes.slack.com/archives/CEKK1KTN2/p1610555169036600
1.21
kubeadm: set the kubelet cgroup driver to "systemd" during "init" kubernetes#99471
kubeadm: add separate page for configuring / migrating cgroup driver website#26786
1.22
cmd/kubeadm/app/componentconfigs/kubelet.go#Default()
. This will make it apply to all commands:kubeadm: move cgroupDriver defaulting to kubeconfig/kubelet.go Default() kubernetes#102133
The text was updated successfully, but these errors were encountered: