implement direct containerd Executor.

[ijc]

This is a very early implementation of an executor which allows standalone swarmd to talk directly to containerd via gRPC. Posting this now to get feedback on the direction as well as the priorities wrt the missing bits (see below)

It is activated by passing --containerd-addr=/run/containerd/containerd.sock to swarmd. The contents of both swarmkit/bin and containerd/bin must be in $PATH.

Note that currently various things expect paths under the swarmkit state dir to be absolute paths, so --state-dir=$(pwd)/swarmkitstate or similar is a good idea (since the default is the non-absolute ./swarmkitstate).

Example:

sudo env PATH=`pwd`/bin:../containerd/bin:$PATH ./bin/swarmd --state-dir=`pwd`/swarmkitstate --containerd-addr=/run/containerd/containerd.sock

then:

sudo ./bin/swarmctl service create --image library/redis:latest --name redis

This uses the existing ContainerSpec and chunks of this new code are pretty similar to the existing dockerapi executor (I have also left in some commented out code which I think will eventually be similar once the underlying scaffolding is implemented). There is likely to be opportunities for refactoring or code sharing. Alternatively (or also) we should perhaps be considering a new spec type specifically for containerd (vs docker engine).

There are many and varied holes and missing pieces of implementation (some of which I have papered over in order to get a basic executor working in the expectation of eventually rewriting to something proper, others I have punted on completely). Including (but not limited to and in no particular order):

• networking is completely unimplemented.
• secrets are completely unimplemented.
• volumes are completely unimplemented.
• images are mostly unimplemented, current implementation is a quick hack which shells out to @stevvooe's containerd dist tool for pull and rootfs constructions (the former is laundered via a dist-pull helper script). AIUI it will eventually (soon?) be possible to ask containerd to take care of this via gRPC. For now the content store is placed in «swarmkitstate»/content-store and image manifests are cached in a manifests subdirectory of that. Now uses the containerd provided content store interfaces to build rootfs. Pull is still via a script for now.
• container logging (or stdio of any sort) is unimplemented.
• Lifecycle tasks other than Create()+Start() (e.g. Shutdown(), Terminate() & Remove()) are unimplemented (containerd API doesn't have the same granularity?). Wait() has a simple implementation but is hampered by lack of events (I don't seem to get any from ctr events, haven't actually tried the gRPC API) in containerd at the moment. Done
• Healthcheck is unimplemented.

Lastly, this code cribs bits of functionality from a variety of places (e.g. "github.com/docker/containerd/cmd/ctr/utils".prepareStdio() & getGRPCConnection, "github.com/docker/docker/oci".DefaultSpec(), types from github.com/docker/docker/image etc) which mostly ought to be refactored rather than just cut and pasted.

This has been written/tested against docker/containerd#1dc5d652ac1adf8f0a92ee8eff7af07b129d4e21. Bundles are placed as subdirectories under «swarmkitstate»/bundles. I'm aware of @crosbymichael's work in docker/containerd#526 and will look into porting over next. Now based on docker/containerd#61400c57ae1d599626b9a5f28b98ac9074b8f1a9 docker/containerd#a7ef3e5313e9731274f60e14d396dab4729b562f

[ijc]

With this we now have github.com/docker/swarmkit/agent/exec/container and github.com/docker/swarmkit/agent/exec/containerd which differ in a single character suffix. Perhaps we should consider renaming the former to github.com/docker/swarmkit/agent/exec/dockerengine (or .../dockerapi or whatever suites)?

WRT my comment in the PR text "perhaps be considering a new spec type specifically for containerd" maybe it is also worth considering renaming the ContainerSpec gRPC type too?

[aaronlehmann]

Perhaps we should consider renaming the former to github.com/docker/swarmkit/agent/exec/dockerengine (or .../dockerapi or whatever suites)?

I agree. I find the current naming confusing. I think either dockerengine or dockerapi is better. I guess I have a slight preference for dockerapi.

[stevvooe]

Let's call the swarmkit/agent/exec/container one dockerapi.

Would you mind doing that in a separate PR?

[ijc]

I wouldn't mind at all...

We should consider whether ContainerSpec should become something more dockerapiish too.

[ijc]

See #1969

[ijc]

My thinking on the priority order of the missing bits is (decreasing order or priority):

1. Remaining lifecycle ops (esp Shutdown).
2. Image handling. Well underway in containerd, can wait to consume that.
3. Networking.
4. Volume handling.
5. Unordered bucked containing everything else.

Not strictly a missing bit but I'd insert:

0. Port over docker/containerd#526 changes.

[codecov-io]

Codecov Report

Merging #1965 into master will decrease coverage by 0.02%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master    #1965      +/-   ##
==========================================
- Coverage    60.4%   60.38%   -0.03%     
==========================================
  Files         124      124              
  Lines       20149    20149              
==========================================
- Hits        12171    12166       -5     
- Misses       6620     6624       +4     
- Partials     1358     1359       +1

[aaronlehmann]

Looks right. Seems kind of unfortunate for swarmkit to know anything about manifests though - this seems like something that belongs at a different layer of the stack. Is the plan to move this into containerd once the relevant APIs exist?

[stevvooe]

This should all go away. I'm working on this as we speak.

[ijc]

Yep, I hope to ditch all this code in favour of something @stevvooe produces soon!

[aaronlehmann]

nit: "unix://" + bindSocket? No need for Sprintf.

[stevvooe]

images are mostly unimplemented, current implementation is a quick hack which shells out to @stevvooe's containerd dist tool for pull and rootfs constructions (the former is laundered via a dist-pull helper script). AIUI it will eventually (soon?) be possible to ask containerd to take care of this via gRPC. For now the content store is placed in «swarmkitstate»/content-store and image manifests are cached in a manifests subdirectory of that.

I am working on this right now. The content store will move over to GRPC and be contained in containerd. I am still toying with the right operations and level granularity required, but I want it to be straightforward.

[stevvooe]

You might be able to hack up a rootfs by running each layer through dist apply.

[stevvooe]

What are these for?

[aaronlehmann]

They seem to be brought in as a side effect of importing distribution packages to parse manifests. I'd prefer if we could move manifest-related functionality out of swarmkit.

[ijc]

github.com/docker/containerd was needed for the gRPC stuff. I think @aaronlehmann is correct that most of the rest came in due to the need for manifest stuff from distribution. @stevvooe is that something which the content store functionality you are adding will address or shall I look for alternatives?

As an aside, figuring out the container config for a v1 schema (not the manifest itself, but the bit with Cwd, Entrypoint, Cmd etc in it) was basically guess work and reverse engineering, if anyone has an actual reference (to docs, or even better usable library code) I'd be glad to have them...

[stevvooe]

I wrote this last night, as well. Maybe, we need to provide some easy client making tools there.

[ijc]

Yes, that would be great IMHO.

[stevvooe]

This adapter pattern is proving useful. I wonder if we can pull out an abstraction for implementing executors that support ContainerSpec.

[ijc]

IMHO it'd be interesting/useful to try, assuming we want to continue down the route of mashing ContainerSpec in to containerd as opposed to adding ContainerdSpec (gah, naming).

[stevvooe]

You can use log.G(ctx).WithFields to achieve these keyvalue pairs.

[ijc]

I think I can just kill this debug and do the WithFields thing elsewhere when there is actual logging to do.

[stevvooe]

Oh, there we go!

[stevvooe]

👍

[ijc]

Force push:

• Rebased to swarmkit master.
• Update to containerd master.
• Use containerd provided archive library to perform layer application (thanks @stevvooe).
• Content store is now managed by containerd e.g. for rootfs construction. Fetch is still laundering via a script pending support from content service.
• Simplified inspect using new ContainerService.Info gRPC call.
• Bug fixes and cleanups from feedback and own review..
• List of vendorings has grown :(

[aaronlehmann]

I'm wondering if this should end up out-of-tree in some kind of swarmd repo. It feels weird to me for swarmkit to be vendoring containerd and a bunch of its dependencies. It's fine for this proof-of-concept PR, but I'm starting to wonder what final form this should take.

@stevvooe @aluzzardi WDYT?

[ijc]

@aaronlehmann yeah, it's something I've been wondering too.

Do you mean to move the whole of swarmd (and presumably by extension, swarmctl) out into a new repo (leaving behind the core functionality) or just the containerd related executor?

[dongluochen]

networking is completely unimplemented.
secrets are completely unimplemented.
volumes are completely unimplemented.

I want to understand the architecture better. For example, how should networking be implemented?

[ijc]

@dongluochen the three things you quote (networking, secrets, volumes) are for the most part open questions right now and I don't have a concrete answer for any of them. Any thoughts/advice/feedback anyone has would be useful.

For networking I've looked a bit at CNI (via https://github.com/ehazlett/circuit/) and CNM (via https://github.com/docker/libnetwork/), but no real conclusion.

For volumes I haven't really looked yet (I had a quick play with creating local volumes in the containerDir within the swarmkitstate dir, but that isn't really going to cut it). As it stands swarmd/swarmctl don't currently have a concept of volumes or their management. I think I need to look into what docker's swarmmode thinks about volume use by services and think about how that could apply to the swarmd+containerd usecase.

For secrets I haven't looked in any detail and have no answer at all.

[dongluochen]

For networking I've looked a bit at CNI (via https://github.com/ehazlett/circuit/) and CNM (via https://github.com/docker/libnetwork/), but no real conclusion.

Thanks @ijc25! @mavenugo any idea how networking should be supported with direct containerd integration?

[ijc]

Force push:

• Rebased to swarmkit master.
• Update to containerd master.
• Implement .Shutdown and .Remove methods. .Terminate remains unimplemented.
• Implement .Wait.
• Support for create's --tmpfs and --bind options.
• Mount an anon-volume on Volumes specified in container images (directory is part of swarmkit state). No support for non-anon volumes (i.e. create --volume) yet.
• Bug fixes and cleanups.

[ijc]

Force push:

• Handle pull from alternate repo and by digest
• Stub out executor.Describe with some real (but still incomplete) stuff
• Update to containerd a160a6a0682a46808dd117fe087510d65cd1e041
• dist-pull script continues to shrink with new containerd API functionality

[stevvooe]

@ijc Check out containerd/containerd#904 to see if that will help here. The intent of that PR is to make things less hacky. Should we merge this and have another PR that uses the new client package?

[ijc]

@stevvooe Yes, I expect containerd/containerd#904 to help a great deal. I'm OK to merge this and port over to that in a future PR if the maintainers are.

The two outstanding review comments here are:

1. implement direct containerd Executor. #1965 (review) on what to do with the event stream if containerd dies (looking into this now, I think I have an answer).
2. implement direct containerd Executor. #1965 (review) on the subject of getting all events.

We've already deferred #1965 (review) (healthcheck) with a TODO.

[ijc]

Force pushed an update:

• rebase onto latest master
• handle reconnecting to containerd if it goes away and returns
• drop the Engine field from node description since Only filter on plugins if running with docker engine #2192 was merged
• wire up generic resources
• update to containerd 7fc91b05917e, involved porting over the introduction of the container metadata service

I think I need to spend some time tidying up the usage of the snapshotters etc and the new metadata service, it's a bit organic rather than using as they are designed I think. IMHO these needn't block merging.

@stevvooe said he had a nearly complete event filtering package, which I'll hopefully be able to use to address #1965 (review). Maybe that could also be done in a followup.

Lastly, "wire up generic resources" was just wiring the supplied genericResources through to my Describe method, exactly as is done in the dockerapi executor, it doesn't look like I needed to do anything more but #2090 was pretty daunting to read through.

[aaronlehmann]

Might be a bit overly verbose?

[ijc]

Yes, it should either be more informative (i.e. say what it is waiting for) or be removed. I think I'll err on the side of removing it.

[ijc]

FTR it was more informative, since ctx carries various things including the task id and includes them in the log messages. I've removed it anyway though.

[aaronlehmann]

Is this the only function that calls r.adapter.events?

Since it unconditionally reopens the Events stream here, I wonder if the retry logic in r.adapter.events is actually necessary or even desirable.

I must have missed this before.

[ijc]

Well spotted, I'd forgotten all about this code when I added the retry to the r.adapter.events code.

What's odd is that when I simulated an event stream failure (by restarting containerd) the error did bubble up to failing the task rather than restarting here. I'll need to investigate why before I kill the retry code.

[ijc]

My theory is that the first call to c.taskClient.Events in r.adapter.events didn't have the grpc.FailFast(false), so it would go through this outer retry and them immediately fail because containerd hadn't actually restarted yet.

I think adding the FailFast unconditionally would be ok and allow me to remove the retry loop in r.adapter.events. I'll give that a shot.

[ijc]

It seemed to work. I took the opportunity to add a check that we hadn't missed an exit event while the stream was away too.

[aaronlehmann]

Non-blocking: I prefer to emit this as a single log line. Otherwise it might be difficult to parse if it's interleaved with other log lines from concurrent threads.

[ijc]

This set of messages is pretty verbose (with very long lines) and not all that useful now that I have it working, so I think I'll just nuke it.

[aaronlehmann]

LGTM

If this is merged in its current state, please open an issue about event filtering. I'd like to make sure that gets addressed.

[ijc]

I rebased and squashed the fixups again.

I have filed #2219 for the event filtering issue. I don't seem to be able to assign, please someone who can feel free to assign it to me.

[stevvooe]

LGTM

#2219 is blocked on me and @ehazlett.

[crosbymichael]

How does integration tests work with swarm? Is there a way to test the tests with this integration outside of moby?

[aaronlehmann]

We have some swarmkit-level integration tests in the integration directory. Currently, these work by mocking out the executor instead of running an running an actual swarm daemon. At a higher level, there are the moby integration-cli tests, and the docker-e2e tests (not open source, AFAIK). Both of the latter rely on a docker daemon.

[ijc]

I was just thinking about automated testing too (OK, I'm a bit late on that one, I confess!) I'll create a new issue.