-
Notifications
You must be signed in to change notification settings - Fork 6.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add containerd config options #11080
base: master
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -12,7 +12,11 @@ oom_score = {{ containerd_oom_score }} | |
max_send_message_size = {{ containerd_grpc_max_send_message_size }} | ||
|
||
[debug] | ||
address = "{{ containerd_debug_address }}" | ||
level = "{{ containerd_debug_level }}" | ||
format = "{{ containerd_debug_format }}" | ||
uid = {{ containerd_debug_uid }} | ||
gid = {{ containerd_debug_gid }} | ||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. HI @spnngl When using
So, the default config should not be changed :-) If we want to customize the config, we can use the code:
And the code in
The same as the other variables. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Changed it in last push There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Hum, I really disagree with that. It's of little use to match the output of I'd rather have explicit defaults and a more straightforward template, with as little branching as possible. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I put There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. What I meant is that we should not have to use {% if containerd_debug_enabled %}
[debug]
setting_1 = {{ containerd_default_value_for_setting_1 }}
...
{% endif %} |
||
[metrics] | ||
address = "{{ containerd_metrics_address }}" | ||
|
@@ -24,6 +28,11 @@ oom_score = {{ containerd_oom_score }} | |
max_container_log_line_size = {{ containerd_max_container_log_line_size }} | ||
enable_unprivileged_ports = {{ containerd_enable_unprivileged_ports | lower }} | ||
enable_unprivileged_icmp = {{ containerd_enable_unprivileged_icmp | lower }} | ||
enable_selinux = {{ containerd_enable_selinux | lower }} | ||
disable_apparmor = {{ containerd_disable_apparmor | lower }} | ||
tolerate_missing_hugetlb_controller = {{ containerd_tolerate_missing_hugetlb_controller | lower }} | ||
disable_hugetlb_controller = {{ containerd_disable_hugetlb_controller | lower }} | ||
image_pull_progress_timeout = "{{ containerd_image_pull_progress_timeout }}" | ||
{% if enable_cdi %} | ||
enable_cdi = true | ||
cdi_spec_dirs = ["/etc/cdi", "/var/run/cdi"] | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unless I'm mistaken, the debug socket is not enabled if this section is not present.
IMO, this whole section should be guarded with something like
containerd_enabled_debug_socket
, defaulting to false.Production setup should presumably not have a debug socket lying around.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This section is already present in current kubespray config to customize log level
See: https://github.com/kubernetes-sigs/kubespray/blob/master/roles/container-engine/containerd/templates/config.toml.j2#L10
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The debug log level is not the same thing that the normal log level, is it not ?
I know that section is already present. What I mean is that it should not be enabled by default, as kubespray by default target production use cases, and having a debug socket enabled in production is not optimal.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It set the log level for everything, not just debug ones.
Same for the log format inside it.
Do you still want to disable this section entirely with a
containerd_enabled_debug
bool ? And no if defined inside it ?See: https://github.com/containerd/containerd/blob/83031836b2cf55637d7abf847b17134c51b38e53/cmd/containerd/command/main.go#L348
It takes the config.Debug.Level if no cli params is used, cli flags have higher priorities but we do not use them in kubespray.
Config struct is found here and the debug section looks like this:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wow, this is so weird (or I totally misunderstood something). Does that mean there is no way to change the log level from the config without enabling the debug socket ?
I mean, I assumed that the "normal" log stream (which I presume goes to standard output) and the "debug" log stream (to the debug socket) where different, but are they in fact the same ?
I've tried to check containerd documentation but couldn't find explanation about this.
That said, I still thinks we should not enable the debug socket in production, (unless the debug socket is an unfortunate naming and it's in fact required ?). Since we handle the generation of the systemd unit for containerd we could inject the log level as flags... 🤔
That does seems a bit weird from containerd though, I feel like I'm missing something.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Having the [debug] section in the toml config does not mean we activate the debug socket.
It is only activated
if config.Debug.Address != ""
, you can see the code here: https://github.com/containerd/containerd/blob/v1.7.16/cmd/containerd/command/main.go#L232By default debug socket is always disabled.
https://github.com/containerd/containerd/blob/v1.7.16/cmd/containerd/command/main_unix.go#L76
It is exactly the same for the metrics one: https://github.com/containerd/containerd/blob/v1.7.16/cmd/containerd/command/main.go#L245
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, I think I got it, thanks for bearing with me (https://github.com/containerd/containerd/blob/main/docs/man/containerd-config.toml.5.md is not super helpful here !).
So, defining the address is what activate the debug socket, got it.
But according to the link above, it has a default value of
/run/containerd/debug.sock
, so it would be activated by default, is that correct ?What I would do in that case is have in our defaults/main.yml something like that.
And in the template something likg
wdyt ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The doc is misleading, it says it is enabled by default but it is not.
Here the config from a newly created node in my cluster
No debug.sock is setup nor present on the node, it seems to default to "", we can check with
/opt/bin/containerd config dump
which gives usWe can setup it explicitely like you said, it may be less confusing for us and users.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this would be an okay output when running with kubespray defaults, so yeah, let's go the explicit way (minus the
enable
which is not needed if we just default to""
for the address.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I pushed my modifications