New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pkg/cri: switch internals to CRI v1, add ingress/egress v1/v1alpha2 CRI conversion. #781
Conversation
Codecov Report
@@ Coverage Diff @@
## master #781 +/- ##
=======================================
Coverage 34.87% 34.87%
=======================================
Files 60 60
Lines 8874 8874
=======================================
Hits 3095 3095
Misses 5477 5477
Partials 302 302
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In general, I'm ok with all of this. One separate worry that I have is about "unsafe.Pointer()" cast for practically 100% of data structures: does match in all cases of we have something that might be problematic?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Right now the option is enabled by default, is the plan to disable it by default or remove it, in the future?
The CRI-O guys landed a few commits in the |
Yes, that's exactly what I had in mind: first we have it as opt-out, once we're sure we can expect mostly everybody to talk v1 we make it opt-in, and eventually we remove it altogether. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested on debian-sid with
- kubelet v1.19.0 (CRI v1alpha2) + containerd v1.6.0-41-gc523102b5
- kubelet v1.23.4 (CRI v1) + containerd v1.6.0-41-gc523102b5
...and it works fine.
Also tried out with containerd v1.4.0, that talks CRI v1alpha2.
As promised in the commit message, this is not supposed to work. cri-resmgr output:
F0303 07:32:12.850610 4447 main.go:89] failed to start resource manager: resource-manager: cache synchronization pod query failed: rpc error: code = Unimplemented desc = unknown service runtime.v1.RuntimeService
My only question would be related to this. Merging the PR will prevent using CRI-RM master branch with older container runtime versions, which will make it harder to integrate CRI-RM to certain environments. On the other hand, without this PR, CRI-RM works with old and new kubelet and runtimes as our primary backend runtimes implement compatibility layers.
What do you think, should we add support for v1alpha2 towards CRI runtimes, too? (In this PR or in a separate PR?)
The initial idea was to support bridging in both directions. Then I quite quickly changed my mind regarding bridging from new clients to old runtimes. I think that is neither worth the effort nor necessarily very safe: I'm not sure if clients talking the new protocol version would expect talking to that old a runtime. Also looking at the official EOL chart, I think dropping support for 1.19/older should not be a problem... If we consider keeping v1alpha2 support around for a longer time, then I think using a dedicated branch/per-release branches/binary/binaries for it could/would probably be the way to go. That branch/those branches would simply have one additional commit swapping v1 for v1alpha2. WDYT? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @klihub! This sounds reasonable.
LGTM.
@kad @marquiz @askervin @jukkar @fmuyassarov Once we are 100 % sure that we don't want/need to support any |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not well aware of the internals of CRI-resource-manager yet, but these changes look good to me from the code perspective.
In our e2e test point of view... I didn't run full tests here, but checked that cri-resmgr can talk to distro's on-the-stock containerd:
ubuntu-20.04 end-of-life is Aug/2025. What do you think? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps some explanation could be added to the commented out code, now it is unclear why it is done like that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @klihub. Looks basically really good to me. Just a few notes that I leave to your consideration
360fd60
to
1ef334b
Compare
Implement v1/v1alpha2 CRI protocol conversion on the ingress where we act as a CRI server for a client. Do the protocol conversion by marshalling v1alpha2 then unmarshalling it into v1 for requests and the other way around for responses. Although this is slower than relying on the versions to be struct-compatible and doing an unsafe cast, it is much safer should the versions divert.
Add CRI v1 and v2 client backends. v1 simply forwards all request and responses to and from the runtime unmodified. v1alpha2 uses the v1alpha1 protocol towards the runtime. It receives all requests and returns all responses as v1, the native format used within cri-resmgr, converting all requests and responses as necessary. Conversion is done by marshalling v1 requests then unmarshalling them into v1alpha2, and the other way around for responses. While this is slower than relying on the versions to be kept struct-compatible and doing an unsafe cast, it is much safer should the versions divert. Implement v1/v1alpha2 CRI protocol conversion on the egress. During connection establishment probe for the v1 protocol then for v1alpha2 and use the first one available.
1ef334b
to
f7ca4a4
Compare
pkg/cri/resource-manager/policy/builtin/topology-aware/mocks_test.go
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @klihub for this enhancement! Provides nice support accross different k8s and runtime versions.
LGTM
Switch the native/internal representation of pods and containers everywhere to CRI v1.
Implement ingress and egress protocol conversion between v1alpha2 and v1 to support
both pre-v1 clients and runtimes.