Add crictl tools in image #21
Conversation
gardener-robot-ci-2
added
the
reviewed/ok-to-test
gardener-robot-ci-3
added
needs/ok-to-test
| - name: crictl | ||
| command: | | ||
| VERSION="v1.17.0";\ | ||
| curl -fsSLO https://github.com/kubernetes-sigs/cri-tools/releases/download/$VERSION/crictl-$VERSION-linux-amd64.tar.gz;\ |
There was a problem hiding this comment.
The problem with this installation approach is that crictl is only needed in Gardener to communicate with containerd CRI. However the crictl default configuration points to docker. Crictl in Gardener should point per default to containerd. If containerd is not installed crictl will not work, but that is fine as the user can just use the regular docker commands then.
Please create the config file for crictl having the configuration for containerd.
Thanks!
There was a problem hiding this comment.
Hi @danielfoehrKn , thanks for the comments, i've added one config pointing to unix:///run/containerd/containerd.sock and copy the config file to crictl default config location in /etc/crictl.yaml
gardener-robot-ci-3
added
reviewed/ok-to-test
dotfiles/crictl.yaml
Outdated
| runtime-endpoint: unix:///run/containerd/containerd.sock | ||
| image-endpoint: unix:///run/containerd/containerd.sock | ||
| timeout: 10 | ||
| debug: true |
There was a problem hiding this comment.
Do you know what this configuration parameter is used for?
There was a problem hiding this comment.
i got this sample from https://github.com/kubernetes-sigs/cri-tools/blob/master/docs/crictl.md - i haven't used crictl before so do let me know if i need to remove some of the configs...
There was a problem hiding this comment.
Apparently the flag --debug enables debug output for crictl itself. So lets not use include that per default.
There was a problem hiding this comment.
thanks, i've removed debug line from the config
| @@ -131,7 +131,9 @@ | |||
| VERSION="v1.17.0";\ | |||
| curl -fsSLO https://github.com/kubernetes-sigs/cri-tools/releases/download/$VERSION/crictl-$VERSION-linux-amd64.tar.gz;\ | |||
| tar zxvf crictl-$VERSION-linux-amd64.tar.gz -C /usr/local/bin;\ | |||
| rm -f crictl-$VERSION-linux-amd64.tar.gz | |||
| rm -f crictl-$VERSION-linux-amd64.tar.gz;\ | |||
| rm -rf /etc/crictl.yaml;\ | |||
There was a problem hiding this comment.
Maybe we should not delete an existing configuration on the node. What do you think about only adding it when it is not available yet?
There was a problem hiding this comment.
i checked this file status before cp the new one - the installation process of crictl doesn't create config if you don't run it, after you first time run crictl it will create an /etc/crictl.yaml which contains one line of null in it.
the default config will point to unix:///var/run/dockershim.sock which is not desired containerd
what do you think?
There was a problem hiding this comment.
What I mean is that, whenever an operator launches another ops/toolbelt pod, this will override the current /etc/crictl.yaml file on the host.
But thinking about it, that might be even better.
There was a problem hiding this comment.
Follow up on this: there are cases when the node image already got crictl installed- so overriding an already existing config should be avoided. PN me for more details.
gardener-robot-ci-3
added
reviewed/ok-to-test
neo-liang-sap
force-pushed
the
issue-19-add-crictl
branch
from
94a935b
to
fd57209
Compare
gardener-robot-ci-3
added
the
reviewed/ok-to-test
gardener-robot-ci-1
removed
the
reviewed/ok-to-test
|
thanks, i've squash into one commit, can someone from code owner have a review on this PR? thanks ;) |
|
@danielfoehrKn @neo-liang-sap have you tried it out if it works? |
There was a problem hiding this comment.
Another thing that came to my mind: installing crictl when the pod is a non-root pod does not make sense. Can that somehow be turned off when running in non-root?
@petersutter dashboard deployed pods are always running as non-root correct? So crictl would not make sense for the dashboard?
gardener-robot-ci-1
added
reviewed/ok-to-test
|
Hi @petersutter @danielfoehrKn , I tested locally using I also tried run Thanks and do let me know if there's other scenario i didn't covered/tested |
|
The pipeline always pushes the image to gcr, here it is for your latest commit |
|
Hi @petersutter, thanks, i've tested on one shoot node and it's working, also verified the config file in /etc/crictl.yaml BTW i never got access to ci/publish and other jobs (e.g.)https://concourse.ci.gardener.cloud/builds/29092 , after i tried login with github username/password i got 404 not found - whom should i refer to apply for (maybe) i'm lacking permission to access the CI? thanks |
@danielfoehrKn the ops-toolbelt is run by default as non-root, however in the settings you can enable the |
|
@petersutter thats actually a super cool feature that I did not know about (maybe it could be somehow more prominent with a checkbox or something - just an idea). Yes I got a containerd installation on my local setup. Will try it out soon and update here. |
|
@danielfoehrKn did you have the time to try it out? |
@neo-liang-sap have you checked if this is possible? |
gardener-robot-ci-1
added
the
reviewed/ok-to-test
gardener-robot-ci-2
removed
the
reviewed/ok-to-test
gardener-robot
added
size/xs
gardener-robot-ci-2
added
reviewed/ok-to-test
gardener-robot-ci-1
added
the
reviewed/ok-to-test
gardener-robot-ci-3
removed
the
reviewed/ok-to-test
gardener-robot-ci-3
added
the
reviewed/ok-to-test
gardener-robot-ci-1
removed
the
reviewed/ok-to-test
|
PR are modified based on review comments |
gardener-robot
added
the
lifecycle/rotten
|
conflicts resolved |
gardener-robot-ci-1
added
the
reviewed/ok-to-test
gardener-robot-ci-2
removed
the
reviewed/ok-to-test
@danielfoehrKn what are the benefits? Probably we can close this PR and open a new one for nerdctl. |
|
nerdctl is a docker-compatible CLI for containerd. And containerd is the only CRI compatible container runtime Gardener supports at the moment. |
|
so what's the decision? i'm totally fine with closing this PR and work on a new ticket for nerdctl |
|
@jfortin-sap, let's close this PR and open a new one for nerdctl. Tbh the chang shouldn't be much different than the current one. Again, just add in the |
|
@plkokanov i guess you were to mentioning me but not Jonathan ;) , sure i will follow up |
|
Yeah, oops @neo-liang-sap, sorry. |
What this PR does / why we need it:
Add crictl tools in ops-toolbelt image
Which issue(s) this PR fixes:
Fixes #19
Special notes for your reviewer:
Release note: