providers, podman: support podman 2.0 #1728
Conversation
k8s-ci-robot
added
cncf-cla: yes
|
sorry, but we don't have CI for podman, is this going to work for both 1.9 and 2.0? |
yes, I've tested it both with 1.9 and 2.0 |
|
/test pull-kind-conformance-parallel-1-16 |
the podman inspect format changed, attempt to parse using both formats. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| @@ -180,7 +180,6 @@ func runArgsForNode(node *config.Node, clusterIPFamily config.ClusterIPFamily, n | |||
| // for now this is what we want. in the future we may revisit this. | |||
| "--privileged", | |||
| "--security-opt", "seccomp=unconfined", // also ignore seccomp | |||
| "--security-opt", "apparmor=unconfined", // also ignore apparmor | |||
There was a problem hiding this comment.
is there any side effect removing this?
There was a problem hiding this comment.
ic
Command Output: Error: invalid config provided: AppArmorProfile and privileged are mutually exclusive options
I'm not very much into apparmor, so my question is about the user experience, does this means the users need to disable apparmor or use specific profiles, or just will work?
There was a problem hiding this comment.
Let's just specify --privileged and drop all --security-opt *.
There was a problem hiding this comment.
Let's just specify
--privilegedand drop all--security-opt *.
that is better, thanks for the suggestion. I've updated the PR
There was a problem hiding this comment.
how does this apply to older versions of podman?
There was a problem hiding this comment.
were these flags just ignored? docker does not throw this error.
There was a problem hiding this comment.
I think it is just a regression in Podman that raises an error when both --privileged and --security-opt apparmor=* are used. There is already an issue to track the problem in podman 2.0 so that --security-opt apparmor= overrides --privileged. For our use case though it doesn't matter since --privileged implies no apparmor and selinux
There was a problem hiding this comment.
SGTM, I just want to make sure we're not not-reporting these 😅
|
@mheon talking about compatibility , if I use the same command we are using in the docker provider, podman 2.0 fails :/ kind/pkg/cluster/internal/providers/docker/provider.go Lines 160 to 166 in c9469c6 |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
/retest |
k8s-ci-robot
added
the
lgtm
|
/test pull-kind-conformance-parallel-1-16 |
1 similar comment
|
/test pull-kind-conformance-parallel-1-16 |
|
1.16 has a regression somewhere in the stack, I'll bypass that job when we're ready to merge. |
| @@ -182,20 +182,45 @@ func (p *Provider) GetAPIServerEndpoint(cluster string) (string, error) { | |||
| return "", errors.Errorf("network details should only be one line, got %d lines", len(lines)) | |||
| } | |||
|
|
|||
| // portMapping maps to the standard CNI portmapping capability | |||
| // portMapping19 maps to the standard CNI portmapping capability used in podman 1.9 | |||
There was a problem hiding this comment.
this also applies to other < 2.0, right?
There was a problem hiding this comment.
yes, this is the struct used by podman <= 1.9
There was a problem hiding this comment.
maybe we should note that /shrug
| @@ -355,7 +353,7 @@ func generatePortMappings(clusterIPFamily config.ClusterIPFamily, portMappings . | |||
| if strings.HasSuffix(hostPortBinding, ":0") { | |||
| hostPortBinding = strings.TrimSuffix(hostPortBinding, "0") | |||
| } | |||
| args = append(args, fmt.Sprintf("--publish=%s:%d/%s", hostPortBinding, pm.ContainerPort, protocol)) | |||
| args = append(args, fmt.Sprintf("--publish=%s:%d/%s", hostPortBinding, pm.ContainerPort, strings.ToLower(protocol))) | |||
There was a problem hiding this comment.
aside: this really seems like a bug in podman.
There was a problem hiding this comment.
Already fixed on master, but it slipped into a few published releases
There was a problem hiding this comment.
docker accepts uppercase AND this is the canonical value in CRI, which is why we're using uppercase https://github.com/kubernetes/cri-api/blob/34366a3c19379c566a82895ce1bcb75d9a502fac/pkg/apis/runtime/v1alpha2/api.pb.go#L58
|
/lgtm |
k8s-ci-robot
added
the
do-not-merge/hold
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: BenTheElder, giuseppe The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
We need to file a bug about 1.16 |
|
@BenTheElder: Overrode contexts on behalf of BenTheElder: pull-kind-conformance-parallel-1-16 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/hold cancel |
k8s-ci-robot
removed
the
do-not-merge/hold
fix some issues that prevented using podman 2.0
Signed-off-by: Giuseppe Scrivano gscrivan@redhat.com