gha: Setup nydus snapshotter for CoCo tests #8585
Conversation
ChengyuZhu6
force-pushed
the
dependencies-for-guest-pull
branch
from
ad511c4
to
6e15249
Compare
ChengyuZhu6
requested review from
fidencio,
stevenhorsman,
jiangliu and
wainersm
ChengyuZhu6
force-pushed
the
dependencies-for-guest-pull
branch
6 times, most recently
from
c620fac
to
3800892
Compare
ChengyuZhu6
force-pushed
the
dependencies-for-guest-pull
branch
from
3800892
to
715067b
Compare
|
In order to make things consistent for both Kata Containers and Confidential Containers, I wonder if we work with the nydus community to have a payload coming from them, that could be used both here and by the Confidential Containers CI. This would reduce a lot the chances of misconfigurations, and that would be a "trusted" source that both projects could consume. IOW, we'd provide them the patches, and then consume their payload here and in CoCo. WDYT? |
I think that's a great idea. |
|
@stevenhorsman @fidencio The PR has been merged. |
|
@stevenhorsman @fidencio Should we support an official release of the Nydus snapshotter for arm64? |
ChengyuZhu6
force-pushed
the
dependencies-for-guest-pull
branch
4 times, most recently
from
d1e05a1
to
23f135b
Compare
ChengyuZhu6
force-pushed
the
dependencies-for-guest-pull
branch
from
f0c1082
to
16b8552
Compare
I think it would be worth starting on this as in main we produce arm64 payloads, even if we don't have any CCA runtime, or tests yet AFAIK. I don't think it should block this PR though |
|
The failures about |
ChengyuZhu6
force-pushed
the
dependencies-for-guest-pull
branch
from
f243450
to
986555e
Compare
ChengyuZhu6
force-pushed
the
dependencies-for-guest-pull
branch
5 times, most recently
from
9de3605
to
027f570
Compare
ChengyuZhu6
force-pushed
the
dependencies-for-guest-pull
branch
5 times, most recently
from
3cf3080
to
470d491
Compare
|
/test |
|
@fidencio @wainersm @stevenhorsman I found that the snapshotter can be deployed and cleaned up as expected. This PR does not configure the snapshotter in containerd, so it should not affect the existing tests. However, I encountered some failures that I could not explain. Could you please help me troubleshoot them? If the tests pass, can we merge the PR first? |
| @@ -21,7 +21,8 @@ DOCKER_REGISTRY=${DOCKER_REGISTRY:-quay.io} | |||
| DOCKER_REPO=${DOCKER_REPO:-kata-containers/kata-deploy-ci} | |||
| DOCKER_TAG=${DOCKER_TAG:-kata-containers-latest} | |||
| KATA_DEPLOY_WAIT_TIMEOUT=${KATA_DEPLOY_WAIT_TIMEOUT:-10m} | |||
| KATA_HYPERVISOR=${KATA_HYPERVISOR:-qemu} | |||
| SNAPSHOTTER_DEPLOY_WAIT_TIMEOUT=${SNAPSHOTTER_DEPLOY_WAIT_TIMEOUT:-5m} | |||
| KATA_HYPERVISOR=${KATA_HYPERVISOR-qemu} | |||
There was a problem hiding this comment.
| KATA_HYPERVISOR=${KATA_HYPERVISOR-qemu} | |
| KATA_HYPERVISOR=${KATA_HYPERVISOR:-qemu} |
| echo "::endgroup::" | ||
| } | ||
|
|
||
| function cleanup_snapshotter() { | ||
| echo "::group::Cleanuping ${SNAPSHOTTER:-}" | ||
| #TODO Add the logic for cleaning up the snapshotter in PR https://github.com/kata-containers/kata-containers/pull/8585. | ||
| case ${SNAPSHOTTER:-} in |
There was a problem hiding this comment.
I'd prefer having SNAPSHOTTER declared atop, instead of having SNAPSHOTTER:- everywhere.
| sleep 180s | ||
| kubectl delete -f "misc/snapshotter/nydus-snapshotter-rbac.yaml" | ||
| popd | ||
| sleep 180s |
There was a problem hiding this comment.
rbac deletion usually is quite fast, I'd drop this to 30s or so, instead of 3 minutes.
| @@ -21,7 +21,8 @@ DOCKER_REGISTRY=${DOCKER_REGISTRY:-quay.io} | |||
| DOCKER_REPO=${DOCKER_REPO:-kata-containers/kata-deploy-ci} | |||
| DOCKER_TAG=${DOCKER_TAG:-kata-containers-latest} | |||
| KATA_DEPLOY_WAIT_TIMEOUT=${KATA_DEPLOY_WAIT_TIMEOUT:-10m} | |||
| KATA_HYPERVISOR=${KATA_HYPERVISOR:-qemu} | |||
| SNAPSHOTTER_DEPLOY_WAIT_TIMEOUT=${SNAPSHOTTER_DEPLOY_WAIT_TIMEOUT:-5m} | |||
There was a problem hiding this comment.
5m seems like way too much as well, maybe 3 minutes is okay.
There was a problem hiding this comment.
Let's leave this as 5 minutes for now, as I just realised that the kata-deploy timeout is 10 minutes.
fidencio
force-pushed
the
dependencies-for-guest-pull
branch
from
470d491
to
7b1e8e8
Compare
We can use daemonset to deploy nydus snapshotter, which will decrease one manual step both for Kata Containers and Confidential Containers CI. Fixes: kata-containers#8584 Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com>
Cleanup nydus snapshotter by the daemonset. Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com>
fidencio
force-pushed
the
dependencies-for-guest-pull
branch
from
7b1e8e8
to
97fbf36
Compare
|
/test |
There was a problem hiding this comment.
I still cannot tell from a nydus standpoint but LGTM from a pure scripting point of view.
Thanks @fidencio and @ChengyuZhu6 !
| git clone -b "${nydus_snapshotter_version}" "${nydus_snapshotter_url}" "${nydus_snapshotter_install_dir}" | ||
|
|
||
| pushd "$nydus_snapshotter_install_dir" | ||
| if [ "${PULL_TYPE}" == "guest-pull" ]; then |
There was a problem hiding this comment.
Not a review comment, just to remind that PULL_TYPE is set to guest-pull in the pre-PR to this that updates the workflows: a214bd8
This PR is a split of kata-containers#8585. make the changes on the Github workflows, and the skeleton to deploy_snapshotter() and cleanup_snapshotter() in tests/integration/kubernetes/gha-run.sh in this commit. After initially merging this patch to trigger CI jobs for CoCo, which will begin executing the dummy functions deploy_snapshotter() and cleanup_snapshotter(), the implementation details for these functions remain in kata-containers#8585. Our subsequent step involves transferring this logic to the PR kata-containers#8484, enabling the PR to undergo CI testing prior to its merge. Fixes: kata-containers#8997 Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com>
Setup nydus snapshotter for CoCo tests.
Fixes #8584