-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Identify, document and maybe remove kubelet dependencies #26093
Comments
@pwittrock What is the best way to document these requirements moving forward? |
@luxas Classy digging, and this is super-useful to have. +100 We should decide at what level we want to document transitive deps. For example, cadvisor is going to begin calling |
@vishh I think adding a page to the "Administering Clusters" at http://kubernetes.io/docs/ would be the best place |
@pmorie Thanks :) It took some time to dig out. When we document it, I think we should present them in groups, e.g. always required, required with option But we should also get rid of some:
|
Automatic merge from submit-queue Do not call NewFlannelServer() unless flannel overlay is enabled Ref: #26093 This makes so kubelet does not warn the user that iptables isn't in PATH, although the user didn't enable the flannel overlay. @vishh @freehan @bprashanth
Some things I've learned so far (will update the list)
|
There's a dependency on |
@pmorie Added. Do you remember any others right now? |
@luxas Nope, I just saw that one during a code review. |
In addition to documenting these, I think it would be useful to check for all of them on kubelet startup. Hard dependencies should log fatal errors, and soft dependencies could log warnings. |
nfs-utils (at least on Fedora/Red Hat/CentOS based systems) is needed by the nfs volume plugin. |
ceph-common (at least on Fedora/Red Hat/CentOS based systems) is needed for the ceph volume plugin |
glusterfs-fuse should be all that is needed for using the gluster storage plugin (at least on Fedora/Red Hat/CentOS based systems). |
iscsi-initiator-utils (Fedora/Red Hat/CentOS based systems) is needed by the iscsi volume plugin |
@timstclair I'm not sure you would want a fatal error if a storage plugin dependency isn't available, I would expect them to just not be loaded (and an obvious event and log message generated) if that is the case. |
Thanks @detiber! (And for anyone out there that knows even more deps of the kubelet, comment!) I think @timstclair meant that all storage drivers are soft deps, so kubelet would log a warning. |
Is this part of NodeSpec? I am still unclear what kubernetes/enhancements#56 is trying to describe. |
Just noticed that
|
Summarizing the PATH requirements for kubelet (oh my!):
Hard requirements (kubelet should fail without these):
I'm not sure if these should be hard or soft deps:
How to remove some dependencies (before v1.4):
A dedicated I can start to implement a WDYT? |
Not only we need |
I'm not sure if that's the right place to drop that (perhaps new issue should be created?), but for people running For my project, I run I documented it here, even though it's probably incomplete, as I didn't test everything yet. |
this type of documentation improvement is nice to have. |
Just a note here - I had my own version of nsenter installed (via pip3 install) on ubuntu20. This caused a continual kubelet crash which took a while to diagnose - kubelet of course wanted nsenter from util-linux. It sure would be nice if the preflight called out the dependency on the distro version of nsenter. Oct 09 18:45:59 faucet kubelet[296741]: E1009 18:45:59.180219 296741 pod_workers.go:191] Error syncing pod db24ffc3-ef58-45b8-87f9-6da3dd701ce7 ("coredns-f9fd979d6-7d488_kube-system(db24ffc3-ef58-45b8-87f9-6da3dd701ce7)"), skipping: failed to "StartContainer" for "coredns" with CrashLoopBackOff: "back-off 40s restarting failed container=coredns pod=coredns-f9fd979d6-7d488_kube-system(db24ffc3-ef58-45b8-87f9-6da3dd701ce7)" |
/joke |
@XuanYang-cn: A termite walks into a bar and asks “Is the bar tender here?” In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/triage accepted |
/priority important-longterm |
/remove-priority backlog |
This issue has not been updated in over 1 year, and should be re-triaged. You can:
For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/ /remove-triage accepted |
This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
HI @thockin, Could you please share why did you close this one? |
Mostly backlog grooming. This is 7 years old and the last meaningful update was 3 years ago. Does it serve a purpose to leave it open? Is someone going to do it? It's a wonderful idea....if someone will act on it, let's reopen? |
See: kubernetes/kubernetes#26093 (comment) Setup `passthru.updateScript`
See: kubernetes/kubernetes#26093 (comment) Setup `passthru.updateScript`
See: kubernetes/kubernetes#26093 (comment) Setup `passthru.updateScript`. Only build or run rke2 in linux.
See: kubernetes/kubernetes#26093 (comment) Setup `passthru.updateScript`. Only build or run rke2 in linux.
See: kubernetes/kubernetes#26093 (comment) Setup `passthru.updateScript`. Only build or run rke2 in linux.
See: kubernetes/kubernetes#26093 (comment) Setup `passthru.updateScript`. Only build or run rke2 in linux.
Kubelet has a few dependencies, and we should be aware of them, document them so users know what's the minimum amount of other programs kubelet needs around it to execute successfully.
I'm testing this by compiling kubelet statically and running it in a
busybox
container with absolutely nothing. I've been surprised how well it runs after all.I'm listing some, both hard and soft dependencies:
glibc
: hard dependency on the right libraries at runtime. We should get rid of this, as it's unnecessary: Make all Kubernetes binaries statically linked #26028root
access: hard dependency and unavoidable. The kubelet has to have full control of the machine (CAP_SYS_ADMIN
is one of the privs that are needed, at least when running in a container)cgroups
cpu
andmemory
: required and used in the meantimecpuacct
andcpuset
: required but not used (but @vishh said they will be used in the future)journalctl
: bug in cAdvisor, should not be requirediptables
: Is required for the kubelet it seems: Do not call NewFlannelServer() unless flannel overlay is enabled #26264, although now flannel isn't initialized when not used.ethtool
: Required forhairpin
code. I do not really understand whathairpin
is required/used for... @thockin @bprashanthnsenter
: Used asutil/io/writer
when--containerized
. Used by--docker-exec-handler
, but not default. Used withsocat
for port forwarding within a pod.mount
,umount
andfindmnt
: Used inNsenterWriter
inutil/io/writer
socat
: Used for port forwarding within a pod. codetouch
: Used byrkt
codedocker
orrkt
obviouslysystemd
? Doesrkt
require asystemd
host? @yifan-gu/:ro
it must be able to read from the whole host/var/run/:rw
required for communicating with docker, setting up certs etc./sys/:rw
for variouscgroup
things/var/lib/kubelet:rw
and/var/lib/docker:rw
it obviously must be able to write to it's own and docker's dirfor
kube-proxy
:iptables
: is of course a hard requirement. But the problem is that (as it seems) iptables has to be linked dynamically, which sets aglibc
dep on thekube-proxy
image.conntrack
: used for limiting requests (I think)inside client containers:
env
: Seems like it's required inside a container that Kubernetes is running, but only when using--docker-exec-handler=native
codevolume plugins:
dmidecode
: required for the vsphere pluginglusterfs-server
,glusterfs-client
are required for theglusterfs
plugingit
is required for the git pluginPlease correct me if I'm wrong, and comment if there is anything I've missed.
Would appreciate discussion about this (and we should have multi-platform Kubernetes in mind)
cc @vishh @smarterclayton @mikedanese @pmorie
The text was updated successfully, but these errors were encountered: