-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add crictl tools in image #21
Conversation
- name: crictl | ||
command: | | ||
VERSION="v1.17.0";\ | ||
curl -fsSLO https://github.com/kubernetes-sigs/cri-tools/releases/download/$VERSION/crictl-$VERSION-linux-amd64.tar.gz;\ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The problem with this installation approach is that crictl is only needed in Gardener to communicate with containerd CRI. However the crictl default configuration points to docker. Crictl in Gardener should point per default to containerd. If containerd is not installed crictl will not work, but that is fine as the user can just use the regular docker commands then.
Please create the config file for crictl having the configuration for containerd.
Thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @danielfoehrKn , thanks for the comments, i've added one config pointing to unix:///run/containerd/containerd.sock
and copy the config file to crictl default config location in /etc/crictl.yaml
dotfiles/crictl.yaml
Outdated
runtime-endpoint: unix:///run/containerd/containerd.sock | ||
image-endpoint: unix:///run/containerd/containerd.sock | ||
timeout: 10 | ||
debug: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you know what this configuration parameter is used for?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i got this sample from https://github.com/kubernetes-sigs/cri-tools/blob/master/docs/crictl.md - i haven't used crictl before so do let me know if i need to remove some of the configs...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Apparently the flag --debug enables debug output for crictl itself. So lets not use include that per default.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks, i've removed debug line from the config
@@ -131,7 +131,9 @@ | |||
VERSION="v1.17.0";\ | |||
curl -fsSLO https://github.com/kubernetes-sigs/cri-tools/releases/download/$VERSION/crictl-$VERSION-linux-amd64.tar.gz;\ | |||
tar zxvf crictl-$VERSION-linux-amd64.tar.gz -C /usr/local/bin;\ | |||
rm -f crictl-$VERSION-linux-amd64.tar.gz | |||
rm -f crictl-$VERSION-linux-amd64.tar.gz;\ | |||
rm -rf /etc/crictl.yaml;\ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we should not delete an existing configuration on the node. What do you think about only adding it when it is not available yet?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i checked this file status before cp the new one - the installation process of crictl
doesn't create config if you don't run it, after you first time run crictl
it will create an /etc/crictl.yaml
which contains one line of null
in it.
the default config will point to unix:///var/run/dockershim.sock
which is not desired containerd
what do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What I mean is that, whenever an operator launches another ops/toolbelt pod, this will override the current /etc/crictl.yaml file on the host.
But thinking about it, that might be even better.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Follow up on this: there are cases when the node image already got crictl installed- so overriding an already existing config should be avoided. PN me for more details.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me. Thanks
94a935b
to
fd57209
Compare
thanks, i've squash into one commit, can someone from code owner have a review on this PR? thanks ;) |
@danielfoehrKn @neo-liang-sap have you tried it out if it works? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Another thing that came to my mind: installing crictl when the pod is a non-root pod does not make sense. Can that somehow be turned off when running in non-root?
@petersutter dashboard deployed pods are always running as non-root correct? So crictl would not make sense for the dashboard?
Hi @petersutter @danielfoehrKn , I tested locally using I also tried run Thanks and do let me know if there's other scenario i didn't covered/tested |
The pipeline always pushes the image to gcr, here it is for your latest commit |
Hi @petersutter, thanks, i've tested on one shoot node and it's working, also verified the config file in /etc/crictl.yaml BTW i never got access to ci/publish and other jobs (e.g.)https://concourse.ci.gardener.cloud/builds/29092 , after i tried login with github username/password i got 404 not found - whom should i refer to apply for (maybe) i'm lacking permission to access the CI? thanks |
@danielfoehrKn the ops-toolbelt is run by default as non-root, however in the settings you can enable the |
@petersutter thats actually a super cool feature that I did not know about (maybe it could be somehow more prominent with a checkbox or something - just an idea). Yes I got a containerd installation on my local setup. Will try it out soon and update here. |
@danielfoehrKn did you have the time to try it out? |
@neo-liang-sap have you checked if this is possible? |
PR are modified based on review comments |
conflicts resolved |
@danielfoehrKn what are the benefits? Probably we can close this PR and open a new one for nerdctl. |
nerdctl is a docker-compatible CLI for containerd. And containerd is the only CRI compatible container runtime Gardener supports at the moment. |
so what's the decision? i'm totally fine with closing this PR and work on a new ticket for nerdctl |
@jfortin-sap, let's close this PR and open a new one for nerdctl. Tbh the chang shouldn't be much different than the current one. Again, just add in the |
@plkokanov i guess you were to mentioning me but not Jonathan ;) , sure i will follow up |
Yeah, oops @neo-liang-sap, sorry. |
What this PR does / why we need it:
Add crictl tools in ops-toolbelt image
Which issue(s) this PR fixes:
Fixes #19
Special notes for your reviewer:
Release note: