-
Notifications
You must be signed in to change notification settings - Fork 459
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deprecate usage of docker as container runtime in gardener #4110
Comments
/assign |
I think we should only enforce using containerd for shoots >= Kubernetes v1.22. All shoots < v1.22 should be allowed to use either docker or containerd like today, hence,
should not be necessary, or? Do you see a strong need to enforce containerd for all shoots, even those < v1.22? |
We are using cgroupfs, which is still the default in k8s even though the recommended one is systemd. This change requires node roll out, as well as proper configuration of the CRI as kubelet require to run in the same cgroup.
Such change is not backward compatible and I am against changing anything in existing clusters. Defaulting to
we should do it via new API version, e.g. v1beta2, but I doubt we will go this way. |
Too many people have made themselves dependent on an implementation detail (dockerd underneath), so we cannot change it without users either selecting it as container runtime explicitly or with a new Kubernetes version, which is also explicit. I would suggest the latter, i.e. piggy-back on a new Kubernetes version and the deprecation of the dockershim to ride on that wave and avoid (to some degree) the frustration when these users realise, we are taking away dockerd for good. |
Thanks for the comments y'all! Most of the discussion seems to deal with if/how/when to switch the container runtime for new/existing clusters. Please help me understand your opinions in a bit more details, such that we can make the right decisions here
My understanding is that you're referring to changing the container runtime for already existing clusters here, is that correct? Would you see a similar requirement of an explicit choice for new shoots, even if they are created with a k8s version which technically still allows for using the in-tree dockershim? Our proposal separated switching the default container runtime for new shoots from dealing with already existing clusters. @vpnachev
Just so I get this right: You're saying when we would switch the default container runtime, we would need to update the Seed's API version, because you're regarding this as an API change? @rfranzke, @vpnachev, @vlerenc |
IMO, we don't need a new API version. We change the defaulting in the API for |
API convention@voelzmo if we try to follow strictly the well establish API convention in the k8s community https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md, we must also bump the apiVersion number. Why - because changing the default value from the current implicit For our purpose creating new apiVersion is overkill as
So, to provide more control to the users, we can use the fact the docker-shim is deprecated in particular k8s version and start denying shoot create/update requests for shoot clusters that are on this particular k8s version or higher, if they have not explicitly configured containerd to be the CRI for their cluster. Simply doing this is also not backward compatible change, because we are making optional field required, therefore the solution is to also default the CRI to Just one example for similar change in the shoot API that was bound to k8s version - the default value of gardener/pkg/apis/core/v1beta1/defaults.go Lines 137 to 142 in a12d355
For shoots on k8s 1.19 or higher it is even not possible to enable the basic authentication. gardener/pkg/apis/core/validation/shoot.go Lines 582 to 584 in a12d355
As Gardener already supports k8s 1.21, it can switch the default earliest for shoots on k8s 1.22.
Existing shoot clustersInitially Gardener supported only docker-shim and it was not possible to use containerd, hence I guess most of the shoot cluster outside in the world are using docker, not containerd. Some shoot owners have seen the running docker daemon and as they have the full access to their nodes, they added hard-dependency of their applications to the docker daemon. Thus we cannot blindly migrate their already existing clusters to containerd as we will brake their application. The way forward here is to inform them about the deprecation and removal of docker and let them explicitly migrate to containerd when they are ready. Of course we cannot wait them forever, therefore they can keep using docker as long as their shoot cluster is on older k8s version than the particular one.
Correct. CgroupsI think this is completely different topic and should not be handled in this issue.
This means that we will want to replace the nodes of the cluster when this change is triggered. Line 53 in 87fb662
systemd . To avoid unwanted disruption, this switch should be applied only to newly created worker pools.
|
@voelzmo We may not do that, unless we bind it to the Kubernetes version (we should amend this line in the ticket description's "next steps" with the Kubernetes version condition for clarity - the line after that about the removal as well). Reason being: We have many stakeholders with automation in place, i.e. we cannot change the default behaviour for new clusters. The clusters the people will then get would differ, though the spec they sent would be the same. That is call for trouble. Hence the answer to your question is...
Existing clusters may not be changed, but we also cannot change how new clusters are spun up. That's what I wanted to express with "it must be explicit". So:
Changing the Gardener API version was not proposed in earnest/the thought was only entertained in theory, I believe - @vpnachev listed it merely as option to emphasise the difficulty in changing the default "mid-way", should we have to, but we don't have to/there is no reason to. We can easily bundle it with the next Kubernetes version that we support, so we should. We don't want to create new Gardener API versions as this is a massive undertaking, not common practice in Kubernetes (it is avoided there as well, with the exception of alpha->beta->GA, and annoying to our stakeholders, because they need to switch/adapt one more field and this specifically will make them nervous/trigger questions, what else has changed and generally create uncertainty. We have the luxury (as all in Kubernetes have), to piggy-back such changes on the Kubernetes minor version and so we should always make use of it. Every 4 month, Kubernetes (and therefore Gardener) can rejuvenate itself to some "fair" degree. Not the API specs, of course, but such things as potentially impactful implementation details that change, defaults (when fields are omitted like in our case), etc. are more easily changed then. To me, the only remaining question was whether we want to offer dockerd and CRI+containerd+runc in parallel or not and if yes, for how long. I think you already made the decision that you want to offer it, so that we learn of issues early on. That seems reasonable. You also decided already to not use a fork/the Mirantis dockershim. That also sounds reasonable. Then I would think, the key questions are settled:
|
Thanks for all the detailed comments, I really appreciate you all taking the time to provide more context on your thoughts!
|
Deprecation of docker as container runtime is completed. We created a few tasks are about being able to produce OS images without docker runtime support and other things which might be helpful, but those will be tackled outside this epic. |
How to categorize this issue?
/kind epic
/priority 3
What would you like to be added:
Why is this needed:
docker is the default container runtime in gardener. k8s deprecated the in-tree dockershim in December 2020 and is about to remove it with release 1.24 (~due in April 2022).
Decisions made
docker
explicitly specified in their supported container runtimes, otherwise things will stop working correctly. Our own users don't need to care about this, as we do it for them.We need to make this clear for our open-source users that this is an operator action at some point, so their users can continue to use their gardener installations correctly.Next steps
Further work
docker
in Gardener, such that Gardener can use OS images without docker daemon installed #4673Open Questions
containerd
Tasks
docker
as a container runtime, such that I can switch back to docker when I find out my workload doesn't run nicely oncontainerd
: Allow selecting docker as cri.name #4218containerd
as a default container runtime, such that users no longer get shoots using deprecated functionality: Setcontainerd
as default container runtime for k8s>=1.22 #4222docker
as container runtime, such that users no longer get shoots using deprecated functionality: Prevent Shoots with k8s>=1.23 to havecri.name: docker
#4529docker
when previously created with docker as implicit default): Enh/stable worker hash #4237Container Runtime
for existing workers dashboard#1037docker
container runtime a first-class citizen dashboard#1038containerd
as default for cri.Name in shoots with k8s version >= 1.22 dashboard#1039cri.name=containerd
tocri=nil
still leavescontainerd
running on the node as systemd service #4254: Ensure new osc name for different cri configuration #4289cri.name
, such that I understand what's possible to use in my cluster: Document supported options for cri.name #4314docker
runtime support to explicit specification ofdocker
, such that I don't have to do error-prone manual work myselfdocker
to the list of currently supported container runtimes: Add migration to Cloud Profile adding docker runtime to all MachineImageVersions #4500docker
tocontainerd
The text was updated successfully, but these errors were encountered: