Add sandboxer configuration and move sandbox controllers to plugins #8268
Conversation
|
Hi @abel-von. Thanks for your PR. I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
abel-von
force-pushed
the
sandbox-plugin
branch
8 times, most recently
from
72fb327
to
78ff094
Compare
abel-von
force-pushed
the
sandbox-plugin
branch
2 times, most recently
from
ea1bce3
to
9415b46
Compare
abel-von
force-pushed
the
sandbox-plugin
branch
6 times, most recently
from
1b635f0
to
44a9799
Compare
| repeated containerd.types.Mount rootfs = 2; | ||
| google.protobuf.Any options = 3; | ||
| string netns_path = 4; | ||
| string sandboxer = 1; |
There was a problem hiding this comment.
Since this API has already been included in a release, we don't want to make numeric changes like this. We are not planning on changing the API versions (from v1 to v2) for the 2.0 release. The sandboxer could be set to a consistent number such as 10 at the end though, the order isn't as important as the compatibility.
| // This features requires experimental CRI server to be enabled (use ENABLE_CRI_SANDBOXES=1) | ||
| // shim - means use whatever Controller implementation provided by shim (e.g. use RemoteController). | ||
| // podsandbox - means use Controller implementation from sbserver podsandbox package. | ||
| SandboxMode string `toml:"sandbox_mode" json:"sandboxMode"` | ||
| Sandboxer string `toml:"sandboxer" json:"sandboxer"` |
There was a problem hiding this comment.
Maintain the previous key as well, but set it as deprecated. We will deal with the removal of deprecated keys in a consistent way.
There was a problem hiding this comment.
I don't quite get what should we do exactly, These are the options I can think of.
- keep the tag key as "sandbox_mode"
Sandboxer string `toml:"sandbox_mode" json:"sandboxMode"`
- add another field SandboxMode
// Deprecated
SandboxMode string `toml:"sandbox_mode" json:"sandboxMode"`
Sandboxer string `toml:"sandboxer" json:"sandboxer"`
- add multiple keys for the same field? it seems not supported for toml or json marshal framework
Sandboxer string `toml:"sandboxer" json:"sandboxer" toml:"sandboxe_mode"`
There was a problem hiding this comment.
@dmcgowan How do we deal with this config key? is it option 2 above?
pkg/cri/sbserver/sandbox_run.go
Outdated
| @@ -212,6 +213,50 @@ func (c *criService) RunPodSandbox(ctx context.Context, r *runtime.RunPodSandbox | |||
| return nil, fmt.Errorf("unable to save sandbox %q to store: %w", id, err) | |||
| } | |||
|
|
|||
| // Create sandbox container root directories. | |||
There was a problem hiding this comment.
Can you explain a little more why this functionality was moved out of the podsandbox controller back to here? This logic should be implementation specific rather than done by by the CRI server.
There was a problem hiding this comment.
It seems the shim sandbox controller also need to implement a same logic to create these files, otherwise the hostname, hosts and DNS configs are lost in containers. I didn't start a container with runc and sandbox_mode of shim successfully, But I think if we can succeed start it, these files should be created.
If we move it into podsandbox controller, I think we should copy these codes into the shim controller too. So I think maybe we should reserve it as a common logic in the CRI server.
Yes I think it is a implementation specific logic because some sandbox like wasm may not need these files, but I think most of the sandbox need these files.
I can remove this commit if it is neccesary, and implement it in our sandbox controller.
There was a problem hiding this comment.
It could make sense to break this functionality into a library which different implementations can use. We are trying to minimize the amount of host setup needed when using the sandbox interface. The sandbox implementations should own this rather than it being a common operation for any sandbox.
There was a problem hiding this comment.
OK,the commit is removed
| if sandboxer == nil { | ||
| inst.Sandboxer = "" | ||
| } else { | ||
| inst.Sandboxer = string(sandboxer) |
| // As the dependency from this controller to cri plugin is hard to decouple, | ||
| // we define a global podsandbox controller and register it to containerd plugin manager first, | ||
| // we will initialize this controller when we initialize the cri plugin. | ||
| var controller = &Controller{} |
There was a problem hiding this comment.
Can we register multiple plugins from the same CRI config instead of global variable? This would require a bit of refactoring in initCRIService.
There was a problem hiding this comment.
I have tried to do that but it made a plugin dependency cycle that is hard to untie, the initialization of fields in this Contoller depends on many kinds plugins and makes cyclic dependency too easily. I tried many times in different ways and at last I gave up and get this global variable idea.
abel-von
force-pushed
the
sandbox-plugin
branch
2 times, most recently
from
ddc9e8c
to
ca58cd1
Compare
|
/ok-to-test |
abel-von
force-pushed
the
sandbox-plugin
branch
from
4a713f4
to
04f7756
Compare
As we are going to support more kinds of sandboxers, we have to tell containerd which sandboxer used to manipulate a specific sandbox. Signed-off-by: Abel Feng <fshb1988@gmail.com>
Signed-off-by: Abel Feng <fshb1988@gmail.com>
Signed-off-by: Abel Feng <fshb1988@gmail.com>
make containerd extensible to support more sandbox controllers registered into containerd by config. we change the default sandbox controller plugin's name from "local" to "shim". to make sure we can get the controller by the plugin name it registered into containerd. Signed-off-by: Abel Feng <fshb1988@gmail.com>
Signed-off-by: Abel Feng <fshb1988@gmail.com>
When call sandbox controller to create sandbox, we change the param from sandbox id to total sandbox object to git all information to controller, so that sandbox controller do not rely on the sandbox store anymore, this is more decouple for the sandbox controller plugin inside containerd, and it is neccesary for remote sandbox controller plugins as it is not able to get sandbox from the sandbox store anymore. Signed-off-by: Abel Feng <fshb1988@gmail.com>
The ShimManager.Start() will call loadShim() to get the existing shim if SandboxID is specified for a container, but shimTask.PID() is called in loadShim, which will call Connect() of Task API with the ID of a task that is not created yet(containerd is getting the shim and Task API address to call Create, so the task is not created yet). In this commit we change the logic of loadShim() to get the shim without calling Connect() of the not created container ID. Signed-off-by: Abel Feng <fshb1988@gmail.com>
Signed-off-by: Abel Feng <fshb1988@gmail.com>
abel-von
force-pushed
the
sandbox-plugin
branch
from
04f7756
to
3ef300c
Compare
| return nil, fmt.Errorf("failed to get sandbox runtime: %w", err) | ||
| } | ||
|
|
||
| return c.client.SandboxController(ociRuntime.Sandboxer), nil |
There was a problem hiding this comment.
This is causing a unit test regression as some of the unit tests do not have the client defined. We should figure out a way to avoid calling the client here.
There was a problem hiding this comment.
I'm sorry I don't quite get it, when I run make test, all tests passed, and we can see many places in cri codes to call client, why should we avoid calling client here? I think I can make it by defining a sandboxControllers in criService, but I don't get the reason why we have to do it. Could you please tell me why?
There was a problem hiding this comment.
I see, it is the TestListContainerStats that need to get platfrom from sandbox controller.
There was a problem hiding this comment.
Maybe I can define a sandboxService interface in cri and define the Platform() method in it, and I can define a fakeSandboxService struct in test codes and init such an object into the criService in newTestCRIService.
There was a problem hiding this comment.
Also opened #9268 to fix the test. The direction we are going through is like you have it, reducing use of the client.
There was a problem hiding this comment.
I made a fix in #9275, please take a look.
dmcgowan
changed the title
The sandbox controller is hard coded in the cri plugin yet, in this PR I reconstruct the codes to make the "shim" and "podsandbox" controllers a sandbox controller plugin in containerd.
This is the first PR of the proposal #7739