mount node product_uuid and product_name in pod containers #2321
Conversation
k8s-ci-robot
added
the
do-not-merge/work-in-progress
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: qinqon The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Hi @qinqon. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
needs-ok-to-test
qinqon
force-pushed
the
random-product-uuid
branch
from
d00c823
to
fae02be
Compare
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
/hold |
k8s-ci-robot
added
the
do-not-merge/hold
images/base/Dockerfile
Outdated
| @@ -144,6 +145,7 @@ RUN echo "Installing containerd ..." \ | |||
| && chmod 755 /usr/local/sbin/runc \ | |||
| && containerd --version \ | |||
| && runc --version \ | |||
| && ctr oci spec |jq '.mounts[.mounts | length] |= . + {"destination": "/sys/class/dmi/id/product_uuid", "source": "/proc/sys/kernel/random/uuid", "options": ["bind"]}'> /etc/containerd/cri-base.json \ | |||
There was a problem hiding this comment.
Mount should be read only?
Why wouldn't we mount the file from the kind node instead of a random file per container?
There was a problem hiding this comment.
Do we have to mimic https://github.com/kubernetes-sigs/kind/blob/main/images/base/files/usr/local/bin/entrypoint#L280-L289 too ?
| # base_runtime_spec is a file path to a JSON file with the OCI spec that will be used as the base spec that all | ||
| # container's are created from. | ||
| # Use containerd's `ctr oci spec > /etc/containerd/cri-base.json` to output initial spec file. | ||
| # Spec files are loaded at launch, so containerd daemon must be restarted on any changes to refresh default specs. |
There was a problem hiding this comment.
We only need to justify why were are setting this, we can leave the rest to the upstream docs without repeating all of it here. We can also see what we're doing in the referenced file in the other sources.
qinqon
force-pushed
the
random-product-uuid
branch
from
fae02be
to
b31b384
Compare
qinqon
force-pushed
the
random-product-uuid
branch
from
b31b384
to
e196b8a
Compare
|
@BenTheElder I have move to the entrypoint the modification of OCI spec so we can do like other product_uuid https://github.com/kubernetes-sigs/kind/compare/b31b3842d57c6e712eb2332baafeb58e7e23ca3f..e196b8abd76be173bdb277665034edaccfb20ebc But I was not able to do it for the virtual one, since /sys/device is mounted read only. |
| fi | ||
| if [[ -f /sys/devices/virtual/dmi/id/product_uuid ]]; then | ||
| echo 'INFO: faking /sys/devices/virtual/dmi/id/product_uuid as well' >&2 | ||
| mount -o ro,bind /kind/product_uuid /sys/devices/virtual/dmi/id/product_uuid | ||
| #cat <<< "$(jq '.mounts[.mounts | length] |= . + {"destination": "/sys/device/virtual/dmi/id/product_uuid", "source": "/kind/product_uuid", "options": ["ro", "bind"]}' < /etc/containerd/cri-base.json)" > /etc/containerd/cri-base.json |
There was a problem hiding this comment.
remove commented code?
edit: or just fix the typo 😅 , see #2321 (comment)
There was a problem hiding this comment.
Ups.... fixed, thanks!
|
sorry, will get back to this tomorrow, I'm probably still the best person to review this but I've been a bit behind.
I think the problem is actually just that it should be |
qinqon
force-pushed
the
random-product-uuid
branch
from
e196b8a
to
79d9106
Compare
|
The k8s conformance tests does not check product_uuid at pods right ? |
not as far as I know, but some things try to read product_name as well (kubelet does, not the tests), we might also want to mount that while we're at it. |
I was thinking about adding some tests for this, but maybe it's not worth it, I can put in place an extra commit with product_name I see product_name is "hacked" too kind/images/base/files/usr/local/bin/entrypoint Lines 262 to 270 in 9fe9644 UPDATE: Confirmed that product_name has the same issue $ for pod in $(kubectl get pod -n kube-system -o wide |grep kube-proxy |awk '{print $1}'); do kubectl exec -n kube-system $pod cat /sys/class/dmi/id/product_name /sys/devices/virtual/dmi/id/product_name ;done
20HGS22D0C
20HGS22D0C
20HGS22D0C
20HGS22D0C
20HGS22D0C
20HGS22D0C20HGS22D0C is my laptop's product_name UPDATE2: The product_name at "nodes" [ellorent@localhost images]$ docker exec kind-control-plane cat /sys/devices/virtual/dmi/id/product_name /sys/devices/virtual/dmi/id/product_name
kind
kind
[ellorent@localhost images]$ docker exec kind-worker cat /sys/devices/virtual/dmi/id/product_name /sys/devices/virtual/dmi/id/product_name
kind
kind
[ellorent@localhost images]$ docker exec kind-worker2 cat /sys/devices/virtual/dmi/id/product_name /sys/devices/virtual/dmi/id/product_name
kind
kind |
|
/hold cancel working fine now: $ for pod in $(kubectl get pod -n kube-system -o wide |grep kube-proxy |awk '{print $1}'); do kubectl exec -n kube-system $pod cat /sys/class/dmi/id/product_uuid /sys/devices/virtual/dmi/id/product_uuid ;done
5fec4d4d-826c-4c5d-9ab4-eb7e811d2f47
5fec4d4d-826c-4c5d-9ab4-eb7e811d2f47
da43c828-f1e0-4ce4-a842-40b3d5a0d828
da43c828-f1e0-4ce4-a842-40b3d5a0d828
bddd0385-2f21-4335-9875-530e9a2deaae
bddd0385-2f21-4335-9875-530e9a2deaae |
k8s-ci-robot
removed
the
do-not-merge/hold
BenTheElder
changed the title
qinqon
force-pushed
the
random-product-uuid
branch
from
79d9106
to
40ca52e
Compare
@AkihiroSuda what would you propose the abstraction be like? OCI gets us close with "insert some additional standard mounts in the base config" but it seems we have contention?/performance issues if we don't do a file per container. I'm not sure what would be reasonable for suggesting containerd do this. |
I was thinking that we could just have a new boolean like But at least, let's avoid parsing JSON with sed. |
k8s-ci-robot
added
the
needs-rebase
Going back to installing jq at node containers and use it is ok ? |
Yes, SGTM (non-binding) |
qinqon
force-pushed
the
random-product-uuid
branch
from
36046ef
to
15d0be9
Compare
k8s-ci-robot
removed
the
needs-rebase
Added a commit with it, since jq is quite small It may be not an issue to keep it installed at the node container. |
|
@AkihiroSuda, this is ready now with your suggestion. |
|
@BenTheElder is this PR ok, or do it present any problem? |
|
I'm fine with merging and iterating, the issue is legit #2318 and I think that we have explored all the possibles alternatives. |
When pods are running at kind cluster their product_uuid and product_name is the same since the share the kernel vfs, this PR add a new mount to OCI spec to bind mount node's product_uuid and product_name into pod's containers. Signed-off-by: Quique Llorente <ellorent@redhat.com>
qinqon
force-pushed
the
random-product-uuid
branch
from
15d0be9
to
9834db3
Compare
Done |
|
@qinqon: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
Bum image blocked by docker/buildx#772 |
|
This will go in this PR #2465 , with the base image bump |
|
rebased version merged in #2465, thank you! |
The new KinD k8s-1.22 nodes includes a change [1] [2] that allows us to stop using PodPresets and still support Kubevirt Live Migration. [1] kubernetes-sigs/kind#2465 [2] kubernetes-sigs/kind#2321 Signed-off-by: Or Mergi <ormergi@redhat.com>
The new KinD k8s-1.22 nodes includes a change [1] [2] that allows us to stop using PodPresets and still support Kubevirt Live Migration. [1] kubernetes-sigs/kind#2465 [2] kubernetes-sigs/kind#2321 Signed-off-by: Or Mergi <ormergi@redhat.com>
The new KinD k8s-1.22 nodes includes a change [1] [2] that allows us to stop using PodPresets and still support Kubevirt Live Migration. [1] kubernetes-sigs/kind#2465 [2] kubernetes-sigs/kind#2321 Signed-off-by: Or Mergi <ormergi@redhat.com>
When pods are running at kind cluster their product_uuid and product_name is the same since the share the kernel vfs, this PR add a new mount to OCI spec to bind mount node's product_uuid and product_name into pod's containers.
This is the result
Closes ##2318