New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cri-o: set manage_ns_lifecycle to true #1568
cri-o: set manage_ns_lifecycle to true #1568
Conversation
As it is more secure and gives cri-o more control of namespace lifecycle. Also change the outdated config name value Signed-off-by: Peter Hunt <pehunt@redhat.com>
/retest |
2 similar comments
/retest |
/retest |
/test e2e-aws |
/retest |
@mtrmac @umohnani8 PTAL and lift hold/add LGTM once you review /hold |
I really have no expertise in this aspect of CRI-O right now. |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: haircommander, kikisdeliveryservice, umohnani8 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Seems to be breaking most of the ovn-kubernetes CI tests in both GCP and AWS with errors like:
|
@dcbw: It's breaking Kuryr too, please advice if we should make sure Kuryr is configured to expect the netns on |
Ah, also it's worth asking about upgrade strategy here. Would 4.4->4.5 upgrade relocate all the network namespaces? |
openshift/machine-config-operator#1568 moved pod namespaces from /proc into /var/run/crio. As Kuryr needs access to them in order to manipulate interfaces, we need to mount the new directory and this commit does that. Most likely the same change needs to be done for ovn-kubernetes, but it's a bit out of my expertise.
Eventually, we will want this change (using /proc is inherently racy and risky). If needed, we can revert this to fix OVNKubernetes, but if the fix is as simple as adding a mount as it is for Kuryr, we should do that and keep this change. WDYT @dcbw |
For some reason adding a mount is not solving the problem - there still are some permissions issues even though Kuryr runs as root in a privileged pod. Also we do need to understand the upgrade strategy here. Will we be sure DEL requests for the pods that already existed during 4.4->4.5 upgrade will point to new directory where netns are or the old one? |
Do AWS or GCP CI tests not use ovn-kubernetes? This has broken baremetal IPI, as well. Is there any workaround we could do to make this work for us? Or any chance to revert if there won't be a quick fix? Thank you! |
what has broken with baremetal IPI? I will revert this fix, though I'd like to compile all the failures it caused to try to mitigate them when we eventually make this switch |
reverted here #1600 |
I had a bunch of pods stuck at ContainerCreating:
master-0 journal was scrolling:
We do have OpenShift CI now, I've opened openshift/release#8051 to enable it on this repository (non-blocking, opt-in only) if someone here wants to review. The e2e-metal-ipi job is nice since all networks are default IPv6, and it uses ovn-kubernetes by default. |
openshift/machine-config-operator#1568 moved pod namespaces from /proc into /var/run/crio. As Kuryr needs access to them in order to manipulate interfaces, we need to mount the new directory and this commit does that. Most likely the same change needs to be done for ovn-kubernetes, but it's a bit out of my expertise.
- What I did
change the entry in crio.conf template to manage ns lifecycle
As it is more secure and gives cri-o more control of namespace lifecycle. Also change the outdated config name value
- How to verify it
- Description for the changelog
CRI-O now manages namespace lifecycle