-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support TCP type runtime endpoint for kubelet #46089
Conversation
Hi @karataliu. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/cc @Random-Liu @feiskyer @karataliu, thanks for the PR! I have a few questions.
|
@karataliu I'd be ok with adding an |
@yujuhong Thanks for the comments.
p.s. With this PR included, we'll get the following error during pod creating:
And related code of docker_manager in v1.6: |
@k8s-bot ok to test |
Yes, named pipe would be a better choice if grpc can support it. I am okay with Windows using TCP for now since it's an experimental/Alpha feature. The idea sounds good to me. Will review the PR later. |
@@ -302,8 +302,8 @@ func (c *kubeletConfiguration) addFlags(fs *pflag.FlagSet) { | |||
// CRI flags. | |||
fs.BoolVar(&c.ExperimentalDockershim, "experimental-dockershim", c.ExperimentalDockershim, "Enable dockershim only mode. In this mode, kubelet will only start dockershim without any other functionalities. This flag only serves test purpose, please do not use it unless you are conscious of what you are doing. [default=false]") | |||
fs.MarkHidden("experimental-dockershim") | |||
fs.StringVar(&c.RemoteRuntimeEndpoint, "container-runtime-endpoint", c.RemoteRuntimeEndpoint, "[Experimental] The unix socket endpoint of remote runtime service.") | |||
fs.StringVar(&c.RemoteImageEndpoint, "image-service-endpoint", c.RemoteImageEndpoint, "[Experimental] The unix socket endpoint of remote image service. If not specified, it will be the same with container-runtime-endpoint by default.") | |||
fs.StringVar(&c.RemoteRuntimeEndpoint, "container-runtime-endpoint", c.RemoteRuntimeEndpoint, "[Experimental] The endpoint of remote runtime service. Currently unix socket is supported on Linux, and tcp is supported on windows. Examples:'unix:///var/run/dockershim.sock', 'tcp://localhost:3735'") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You changed the format of the endpoint to include the protocol. I don't want to break existing users. Could you make sure that endpoints without protocols can still be accepted by assuming the default protocol for each OS?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's also a bit strange that the new schemes are not registered with the IANA. They seem to be Go-isms. Is it worth mentioning (here or in some other docs?) that unix
is a SOCK_STREAM
(vs. unixgram
's SOCK_DGRAM
and unixpacket
's SOCK_SEQPACKET
)?
// +build windows | ||
|
||
/* | ||
Copyright 2016 The Kubernetes Authors. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/2016/2017
@@ -577,6 +570,9 @@ func NewMainKubelet(kubeCfg *componentconfig.KubeletConfiguration, kubeDeps *Kub | |||
return nil, fmt.Errorf("unsupported CRI runtime: %q", kubeCfg.ContainerRuntime) | |||
} | |||
runtimeService, imageService, err := getRuntimeAndImageServices(kubeCfg) | |||
if err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch! :-)
Thanks for the comments. I thinks it's good to keep compatible with existing "container-runtime-endpoint" and "image-service-endpoint" flag formats, though they're still marked as '[Experimental]'. But for windows, since the CRI support is new, suppose we could enforce the full url format as there being no 'legacy' behaviour. Otherwise it is likely to become chaos if we're to change default protocol type on windows in future. I've pushed a new commit: add fallback support for using '/var/run/a.sock' as unix socket on linux, and also include a hint message for users to update endpoint format. Please comment. |
The new commit looks good. Could you add some basic unit tests for the parsing functions? I think the PR will be good to go after that. |
unit test commit pushed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@k8s-bot pull-kubernetes-federation-e2e-gce test this |
LGTM. Will apply the label after you squash the commits. Thanks! |
@karataliu, to speed up the review turnaround time, feel free to send another PR for the rest of changes (e.g., fixing the security options) whenever you're ready. Thanks |
@yujuhong Squashed commit pushed. Looks fine, I'll try that. Thanks. |
@karataliu: The following test(s) failed:
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
@karataliu thanks for working on this! /lgtm |
cc @mtaufen for approval. |
componentconfig changes look fine to me |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: karataliu, mtaufen, yujuhong
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
Automatic merge from submit-queue (batch tested with PRs 46124, 46434, 46089, 45589, 46045) |
Automatic merge from submit-queue Support windows in dockershim **What this PR does / why we need it**: This is the 2nd part for #45927 . The non-cri implementation dockertools was removed from kubelet v1.7 . Part of previous work for supporting windows container lies in v1.6 dockertools, this PR is to port them to dockershim. Main reference file in v1.6 dockertools windows support: https://github.com/kubernetes/kubernetes/blob/v1.6.4/pkg/kubelet/dockertools/docker_manager_windows.go **Which issue this PR fixes** 45927, for now catching up the implementation of v1.6 **Special notes for your reviewer**: The code change includes 4 parts, put them together as we discussed in #46089 1. Update go-winio package to a newer version 'go-winio' package is used by docker client. This change is to bring the support for Go v1.8, specifically included in the PR: microsoft/go-winio#48 Otherwise it will produce a lot of error like in: fsouza/go-dockerclient#648 2. Add os dependent getSecurityOpts helper method. seccomp not supported on windows Corresponding code in v1.6: https://github.com/kubernetes/kubernetes/blob/v1.6.4/pkg/kubelet/dockertools/docker_manager_windows.go#L78 3. Add updateCreateConfig. Allow user specified network mode setting. This is to be compatible with what kube-proxy package does on Windows. Also, there is a Linux section in both sandbox config and container config: LinuxPodSandboxConfig, LinuxContainerConfig. And that section later goes to Config and HostConfig section under docker container createConfig. Ideally hostconfig section should be dependent on host os, while config should depend on container image os. To simplify the case, here it assumes that windows host supports windows type container image only. It needs to be updated when kubernetes is to support windows host running linux container image or the like. Corresponding code in v1.6: https://github.com/kubernetes/kubernetes/blob/v1.6.4/pkg/kubelet/dockertools/docker_manager_windows.go#L57 4. Add podIpCache in dockershim. For v1.6 windows implementation, it still does not use sandbox, thus only allow single container to be exposed. Here added a cache for saving container IP, to get adapted to the new CRI api. Corresponding code in v1.6: No sandbox: https://github.com/kubernetes/kubernetes/blob/v1.6.4/pkg/kubelet/dockertools/docker_manager_windows.go#L66 Use container id as pod ip: https://github.com/kubernetes/kubernetes/blob/v1.6.4/pkg/kubelet/dockertools/docker_manager.go#L2727 **Release note**:
What this PR does / why we need it:
Currently the grpc server for kubelet and dockershim has a hardcoded endpoint: unix socket '/var/run/dockershim.sock', which is not applicable on non-unix OS.
This PR is to support TCP endpoint type besides unix socket.
Which issue this PR fixes
This is a first attempt to address issue #45927
Special notes for your reviewer:
Before this change, running on Windows node results in:
After adding the cm stub, error becomes:
This PR is to fix those two issues.
After this change, still meets 'seccomp' related issue when running on Windows node, needs more updates later.
Release note: