-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
providers, podman: support podman 2.0 #1728
Conversation
sorry, but we don't have CI for podman, is this going to work for both 1.9 and 2.0? |
yes, I've tested it both with 1.9 and 2.0 |
/test pull-kind-conformance-parallel-1-16 |
the podman inspect format changed, attempt to parse using both formats. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@@ -180,7 +180,6 @@ func runArgsForNode(node *config.Node, clusterIPFamily config.ClusterIPFamily, n | |||
// for now this is what we want. in the future we may revisit this. | |||
"--privileged", | |||
"--security-opt", "seccomp=unconfined", // also ignore seccomp | |||
"--security-opt", "apparmor=unconfined", // also ignore apparmor |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is there any side effect removing this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ic
Command Output: Error: invalid config provided: AppArmorProfile and privileged are mutually exclusive options
I'm not very much into apparmor, so my question is about the user experience, does this means the users need to disable apparmor or use specific profiles, or just will work?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's just specify --privileged
and drop all --security-opt *
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's just specify
--privileged
and drop all--security-opt *
.
that is better, thanks for the suggestion. I've updated the PR
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
how does this apply to older versions of podman?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
were these flags just ignored? docker does not throw this error.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it is just a regression in Podman that raises an error when both --privileged
and --security-opt apparmor=*
are used. There is already an issue to track the problem in podman 2.0 so that --security-opt apparmor=
overrides --privileged
. For our use case though it doesn't matter since --privileged
implies no apparmor and selinux
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SGTM, I just want to make sure we're not not-reporting these 😅
@mheon talking about compatibility , if I use the same command we are using in the docker provider, podman 2.0 fails :/ kind/pkg/cluster/internal/providers/docker/provider.go Lines 160 to 166 in c9469c6
|
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
/retest |
/test pull-kind-conformance-parallel-1-16 |
1 similar comment
/test pull-kind-conformance-parallel-1-16 |
1.16 has a regression somewhere in the stack, I'll bypass that job when we're ready to merge. |
@@ -182,20 +182,45 @@ func (p *Provider) GetAPIServerEndpoint(cluster string) (string, error) { | |||
return "", errors.Errorf("network details should only be one line, got %d lines", len(lines)) | |||
} | |||
|
|||
// portMapping maps to the standard CNI portmapping capability | |||
// portMapping19 maps to the standard CNI portmapping capability used in podman 1.9 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this also applies to other < 2.0, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, this is the struct used by podman <= 1.9
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe we should note that /shrug
@@ -355,7 +353,7 @@ func generatePortMappings(clusterIPFamily config.ClusterIPFamily, portMappings . | |||
if strings.HasSuffix(hostPortBinding, ":0") { | |||
hostPortBinding = strings.TrimSuffix(hostPortBinding, "0") | |||
} | |||
args = append(args, fmt.Sprintf("--publish=%s:%d/%s", hostPortBinding, pm.ContainerPort, protocol)) | |||
args = append(args, fmt.Sprintf("--publish=%s:%d/%s", hostPortBinding, pm.ContainerPort, strings.ToLower(protocol))) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
aside: this really seems like a bug in podman.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Already fixed on master, but it slipped into a few published releases
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
docker accepts uppercase AND this is the canonical value in CRI, which is why we're using uppercase https://github.com/kubernetes/cri-api/blob/34366a3c19379c566a82895ce1bcb75d9a502fac/pkg/apis/runtime/v1alpha2/api.pb.go#L58
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ack, thanks
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: BenTheElder, giuseppe The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
We need to file a bug about 1.16 |
@BenTheElder: Overrode contexts on behalf of BenTheElder: pull-kind-conformance-parallel-1-16 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/hold cancel |
fix some issues that prevented using podman 2.0
Signed-off-by: Giuseppe Scrivano gscrivan@redhat.com