New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make OCI options cross-platform #7928
Conversation
3e9ec5e
to
a22081c
Compare
Nice I might not even need to do anything 🤣 |
c80af7a
to
ac5112f
Compare
/test pull-containerd-sandboxed-node-e2e |
60212e5
to
ad67108
Compare
@@ -36,6 +37,10 @@ service Sandbox { | |||
// StartSandbox will start previsouly created sandbox. | |||
rpc StartSandbox(StartSandboxRequest) returns (StartSandboxResponse); | |||
|
|||
// Platform queries the platform the sandbox is going to run containers on. | |||
// containerd will use this to generate a proper OCI spec. | |||
rpc Platform(PlatformRequest) returns (PlatformResponse); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's say LCOW implements Platform, does it return Linux?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's the tricky part here it seems, LCOW is a part of the same shim as Windows containers. Feel like we'd need something here to tell the shim what guest to launch in the first place (annotation/shim option etc.) Likely a different PR
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder if we can add this as part of the runtime configuration, similar to some of the other per-shim configuration fields. Greedily, it makes me think that this needn't be sandbox API only. Similarly, perhaps a single shim can actually support multiple guest targets.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yea that was my first thought here #7910, if it's generic though and specified here we still need to forward it to the shim somehow (annotation would be easiest but ideally whatever would denote it would be standardized/part of the runtime spec)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see -- you're saying that the shim cannot determine the target based on the resulting spec that it receives, and we'd be reliant on an annotation otherwise to indicate?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for not getting a chance to comment on this sooner. Adding a few thoughts from my side.
LCOW isn't supported on CRI today, we don't really need to solve for that at this point. However, we should aim for a path where the runhcs shim can implement sandbox support, and right now I don't think it would have a good way to know what platform to report.
Given that we will probably need some way (e.g. a platform field on each runtime handler like in #7910) for CRI to tell the shim what platform to create a sandbox for, it seems a bit odd to me that we then have to turn around and ask the sandbox what its platform is. We just got done telling it what platform it should be, so can we just remember that value (perhaps stored in CRI's sandboxstore) rather than querying it?
This would mean we can avoid adding a new controller/sandbox API to query what platform is running, which simplifies the changes needed here.
Would splitting into two shims even an option?
I'd prefer we don't have to force a change in shim architecture to accomodate this. There are also some technical reasons to want a single shim binary, such as code page sharing between shim processes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it seems a bit odd to me that we then have to turn around and ask the sandbox what its platform is.
That's fair. However there is no official way on CRI level to specify target platform, so it's currently up to a runtime how to figure out which target OS to run (configs, annotations, etc). So I'd prefer to avoid hard-coding this on containerd-CRI side for now. This is a good path forward though, I like this, we can update interfaces in 2.0 as sandbox API is still experimental and we can tune interface as we need.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well I guess this is okay 😆 Personally feel that what platform is being run is a central enough part that CRI should explicitly specify it, but don't think it's a big deal.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
KEP time? 🤓
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, it would be a configuration option - not hard coded, similar to runtime's config path or which CNI plugin to use, right?
/test pull-containerd-sandboxed-node-e2e |
I think a lot of this makes sense and the sandbox API fits very nice here. I'll work on a way for shims that support multiple platforms to get passed what OS the sandbox needs in the first place; I'll reword #7910 a little. My main comment is making that container spec generation a little nicer so I'll wait for that and re-look |
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
/test pull-containerd-sandboxed-node-e2e |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Thanks!
Since VM based runtimes become a thing, at doesn’t make any sense anymore to separate OCI options by platform (e.g. have spec_opts_linux, _windows, etc).
It’s quite legal to use different host and guests (like run Windows container from Linux host or Linux VM from Darwin).
In current implementation a runtime receives a wrong OCI spec if host OS != guest OS.
Instead we should be asking runtime what kind of OS its going to run and depending on that containerd must build proper container spec. So we should not exclude OCI options at compile time.
In the end we should end up with something like this:
This PR:
Doing PRs separately to avoid huge diffs. This one just copy-pastes function to make them available everywhere.