kubeadm: update docker version for CE and EE

[dmmcquay]

What this PR does / why we need it: Update regex for docker version to also capture new CE and EE versions.

Which issue this PR fixes: fixes #kubernetes/kubeadm#189

Special notes for your reviewer: /cc @jbeda @luxas

Release note:

NONE

[k8s-reviewable]

This change is 

[luxas]

cc @Random-Liu @dchen1107 @vishh @yujuhong @kubernetes/sig-node-pr-reviews
Is docker 1.13.x validated and officially supported in v1.6?

[yujuhong]

Is docker 1.13.x validated and officially supported in v1.6?

Nope. It's not running in node e2e yet.

[jbeda]

Discussion right now if we should allow 1.9+ without qualification (as this PR as it stands) or if we should warn for 1.13+ as it hasn't been 100% validated yet.

[luxas]

Discussion right now if we should allow 1.9+ without qualification (as this PR as it stands) or if we should warn for 1.13+ as it hasn't been 100% validated yet.

I think we should absolutely not allow 1.9+ without warnings; that would be bad UX.

If docker 1.13 isn't validated for v1.6, it isn't

I think we should continue to fail for 1.13 and 17.03-ce until sig-node has validated it.

On the other hand, our docs could include that "if you know what you're doing and have run this iptables command described in issue xxx then you may move on with --skip-preflight-checks"

[Random-Liu]

I'm not sure I understand the regexp here.

If we only want to officially support 1.9 - 1.12, could we change this to 1\.(9|1[0-2])\..*?

@dchen1107 Two questions here:

1. Do we still support 1.9?
2. Are we going to say we don't support 1.13+ now?

[vishh]

Testing code could still allow for testing newer versions. We might get some early signals from the community before upstream validates new versions. WDYT @Random-Liu ?

[Random-Liu]

Testing code could still allow for testing newer versions. We might get some early signals from the community before upstream validates new versions. WDYT @Random-Liu ?

Good point, sounds good to me.

However, for kubeadm preflight check, should we fail on version other than 1.10-1.12?

[dmmcquay]

@k8s-bot cvm gce e2e test this
@k8s-bot kops aws e2e test this

[dmmcquay]

@k8s-bot cvm gce e2e test this

[jbeda]

This LGTM. The only thing I'd like to see is some pointer for the user to learn more. Based on our current docs I think that https://kubernetes.io/docs/getting-started-guides/kubeadm/#limitations is the best place to send people.

I'm thinking we can just do this as part of the mondo error returned by RunChecks in checks.go. If we don't have something here it is likely that we'll have a lot of support issues to deal with.

I'm ok with merging without that, but I'd feel better if we had it.

[Random-Liu]

The regex seems wrong to me. For example things like 1.21, 1.221 will also match.

If we only want to support 1.9-1.12, 1\.(9|1[0-2])\..* seems better to me

[dchen1107]

sig-node agreed to drop 1.9.x support for 1.6 release, can we update the test here reflecting such change too?

[jbeda]

We should update this now.

[dchen1107]

Can we change the docker version checking logic here:

1. If docker version < Kubelet's docker minimal support version (docker client: 1.10, docker server 1.22, for k8s 1.6), throwing an error;
2. If docker version in the range of being validated and supported by the node team (docker 1.10.x to docker 1.12.x for k8s 1.6), pass;
3. if docker version is greater than the maximum version validated by the node team (for example: docker 1.13, etc.), throwing a warning with the proper validation information
   So that node-e2e tests can still run against latest docker release. Of course, docker changed their version schema, we are going to address it in 1.7 timeframe.

WDYT?

[jbeda]

I'm okay with @dchen1107's proposal. Currently the validators don't have a way to return warnings so that'll require some new plumbing.

@dmmcquay -- you up for it?

I still think we should direct users to a page for any precheck failure. At least we can address common things quickly there without pushing new code.

[yujuhong]

Of course, docker changed their version schema, we are going to address it in 1.7 timeframe.

We should check the docker API version (which is semver) instead.

[dmmcquay]

@dchen1107 @jbeda I don't know if I agree with the proposed change. Is the idea to rework the Validator interface so that Validate returns both a warning and an error? It seems like changing the other validators to compensate for just verifying docker would be strange.

What is the purpose of throwing the "warning"? Would logging the info satisfy this requirement?

[jbeda]

@yujuhong -- The API version isn't enough. There are other changes (such as how Docker sets up iptables) that can break people and won't show up as a breaking change to the API.

@dmmcquay -- my feeling is that <=1.9 we know it wont work. For 1.10-1.12 we have tested and validated. For >=1.13 it hasn't been validated and there may be issues (known and not known).

If we error for 1.13+ then if there are issues that people can work around they'll have to turn off all preflight checks. That means they may miss other problems. If we were able to specify which prechecks to skip then I'd be more comfortable making it an error over a warning.

This would mean changing the validator interface and that would be a bigger change. But the preflight check interface already knows how to surface warnings so it'll be limited to just the validator interface.

Thoughts? @dchen1107 @luxas @lukemarsden?

If we can't come to some other conclusion by EOD today, I think we should go with error for all non-proven versions with the addition of a link to the kubeadm docs.

[dmmcquay]

@jbeda One solution that I thought of would be making a new error type:

 type DockerValidatorError struct {  
     Msg     string                   
     Warning string                   
 }                                    

And then do some sort of type switch on the error, and if its a DockerValidatorError, you can check to see if there warning string is empty or not.

Not saying this is a better solution, just an idea for keeping the interface intact.

[jbeda]

@dmmcquay I dunno. That just seems to move the problem around into the kubeadm code. At the end of the day, we should look to refactor this stuff out of a test directory so we shouldn't be afraid to move it forward (as long as @dchen1107 and @yujuhong are cool with it).

[dmmcquay]

@jbeda, @dchen1107, @yujuhong PTAL and let me know what you think about the changes I made. This change will allow 1.13+ (including EE and CE versions) but will return a warning saying docker version is greater than the maximum version validated by the node team.

[dmmcquay]

@k8s-bot non-cri e2e test this

[jbeda]

Just some small nits. This didn't end up being as invasive as we feared!

[jbeda]

Users running this won't know who the "node team" is. I'd do something like:

"docker version is greater than the most recently validated version. Docker version: %s. Max validated version: %s"

Ideally we could point to a URL about what the known issues might be. @dchen1107 @yujuhong -- does the node team keep any documentation about the latest status of what has been validated?

[jbeda]

We should update this now.

[luxas]

nit: remove

[jbeda]

/lgtm

[k8s-ci-robot]

@jbeda: you can't LGTM a PR unless you are an assignee.

In response to this comment:

/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[k8s-github-robot]

[APPROVALNOTIFIER] This PR is APPROVED

The following people have approved this PR: dmmcquay, jbeda

Needs approval from an approver in each of these OWNERS Files:

• cmd/kubeadm/OWNERS [jbeda]
• test/e2e_node/OWNERS [jbeda]

We suggest the following people:
cc @vishh
You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[dmmcquay]

@k8s-bot non-cri e2e test this

[luxas]

Applying @jbeda's LGTM...

[k8s-github-robot]

@k8s-bot test this [submit-queue is verifying that this PR is safe to merge]

[k8s-github-robot]

Automatic merge from submit-queue (batch tested with PRs 42762, 42739, 42425, 42778)

[k8s-ci-robot]

@dmmcquay: The following test(s) failed:

Test name	Commit	Details	Rerun command
Jenkins GKE smoke e2e	d662c80	link	@k8s-bot cvm gke e2e test this
Jenkins GCI GKE smoke e2e	d662c80	link	@k8s-bot gci gke e2e test this
Jenkins unit/integration	35f0709	link	@k8s-bot unit test this
Jenkins kops AWS e2e	35f0709	link	@k8s-bot kops aws e2e test this

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.