Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

api/services/task: add RuntimeInfo() #8509

Closed
wants to merge 1 commit into from
Closed

api/services/task: add RuntimeInfo() #8509

wants to merge 1 commit into from

Conversation

AkihiroSuda
Copy link
Member

@AkihiroSuda AkihiroSuda commented May 11, 2023
edited
Loading

The RuntimeInfo() method returns the OCI Runtime features that are implemented by the runtime.

Expected to be used for:

RPC

Request:

message RuntimeInfoRequest {
        string runtime_path = 1;
        // Options correspond to CreateTaskRequest.options
        google.protobuf.Any options = 2;
}

Response:

message RuntimeVersion {
        string version = 1;
        string revision = 2;
}

message RuntimeInfo {
        string name = 1;
        RuntimeVersion version = 2;
        // Options correspond to RuntimeInfoRequest.Options
        google.protobuf.Any options = 3;
        // OCI-compatible runtimes should use https://github.com/opencontainers/runtime-spec/blob/main/features.md
        google.protobuf.Any features = 4;
        // Annotations of the shim. Irrelevant to features.Annotations.
        map<string, string> annotations = 5;
}

Examples

Use ctr task runtime-info to test this.

Default (runc)

$ sudo ctr task runtime-info                                                                                                                                                                                                                                       
{
    "Name": "io.containerd.runc.v2",
    "Version": {
        "Version": "v1.7.0-231-g36b30b3bb",
        "Revision": "v1.7.0-231-g36b30b3bb"
    },
    "Options": {},
    "Features": {
        "ociVersionMin": "1.0.0",
        "ociVersionMax": "1.1.0-rc.2",
        "hooks": [
            "prestart",
            "createRuntime",
            "createContainer",
            "startContainer",
            "poststart",
            "poststop"
        ],
        "mountOptions": [
            "async",
            "atime",
            "bind",
            "defaults",
            "dev",
            "diratime",
            "dirsync",
            "exec",
            "iversion",
            "lazytime",
            "loud",
            "mand",
            "noatime",
            "nodev",
            "nodiratime",
            "noexec",
            "noiversion",
            "nolazytime",
            "nomand",
            "norelatime",
            "nostrictatime",
            "nosuid",
            "nosymfollow",
            "private",
            "ratime",
            "rbind",
            "rdev",
            "rdiratime",
            "relatime",
            "remount",
            "rexec",
            "rnoatime",
            "rnodev",
            "rnodiratime",
            "rnoexec",
            "rnorelatime",
            "rnostrictatime",
            "rnosuid",
            "rnosymfollow",
            "ro",
            "rprivate",
            "rrelatime",
            "rro",
            "rrw",
            "rshared",
            "rslave",
            "rstrictatime",
            "rsuid",
            "rsymfollow",
            "runbindable",
            "rw",
            "shared",
            "silent",
            "slave",
            "strictatime",
            "suid",
            "symfollow",
            "sync",
            "tmpcopyup",
            "unbindable"
        ],
        "linux": {
            "namespaces": [
                "cgroup",
                "ipc",
                "mount",
                "network",
                "pid",
                "user",
                "uts"
            ],
            "capabilities": [
                "CAP_CHOWN",
                "CAP_DAC_OVERRIDE",
                "CAP_DAC_READ_SEARCH",
                "CAP_FOWNER",
                "CAP_FSETID",
                "CAP_KILL",
                "CAP_SETGID",
                "CAP_SETUID",
                "CAP_SETPCAP",
                "CAP_LINUX_IMMUTABLE",
                "CAP_NET_BIND_SERVICE",
                "CAP_NET_BROADCAST",
                "CAP_NET_ADMIN",
                "CAP_NET_RAW",
                "CAP_IPC_LOCK",
                "CAP_IPC_OWNER",
                "CAP_SYS_MODULE",
                "CAP_SYS_RAWIO",
                "CAP_SYS_CHROOT",
                "CAP_SYS_PTRACE",
                "CAP_SYS_PACCT",
                "CAP_SYS_ADMIN",
                "CAP_SYS_BOOT",
                "CAP_SYS_NICE",
                "CAP_SYS_RESOURCE",
                "CAP_SYS_TIME",
                "CAP_SYS_TTY_CONFIG",
                "CAP_MKNOD",
                "CAP_LEASE",
                "CAP_AUDIT_WRITE",
                "CAP_AUDIT_CONTROL",
                "CAP_SETFCAP",
                "CAP_MAC_OVERRIDE",
                "CAP_MAC_ADMIN",
                "CAP_SYSLOG",
                "CAP_WAKE_ALARM",
                "CAP_BLOCK_SUSPEND",
                "CAP_AUDIT_READ",
                "CAP_PERFMON",
                "CAP_BPF",
                "CAP_CHECKPOINT_RESTORE"
            ],
            "cgroup": {
                "v1": true,
                "v2": true,
                "systemd": true,
                "systemdUser": true,
                "rdma": true
            },
            "seccomp": {
                "enabled": true,
                "actions": [
                    "SCMP_ACT_ALLOW",
                    "SCMP_ACT_ERRNO",
                    "SCMP_ACT_KILL",
                    "SCMP_ACT_KILL_PROCESS",
                    "SCMP_ACT_KILL_THREAD",
                    "SCMP_ACT_LOG",
                    "SCMP_ACT_NOTIFY",
                    "SCMP_ACT_TRACE",
                    "SCMP_ACT_TRAP"
                ],
                "operators": [
                    "SCMP_CMP_EQ",
                    "SCMP_CMP_GE",
                    "SCMP_CMP_GT",
                    "SCMP_CMP_LE",
                    "SCMP_CMP_LT",
                    "SCMP_CMP_MASKED_EQ",
                    "SCMP_CMP_NE"
                ],
                "archs": [
                    "SCMP_ARCH_AARCH64",
                    "SCMP_ARCH_ARM",
                    "SCMP_ARCH_MIPS",
                    "SCMP_ARCH_MIPS64",
                    "SCMP_ARCH_MIPS64N32",
                    "SCMP_ARCH_MIPSEL",
                    "SCMP_ARCH_MIPSEL64",
                    "SCMP_ARCH_MIPSEL64N32",
                    "SCMP_ARCH_PPC",
                    "SCMP_ARCH_PPC64",
                    "SCMP_ARCH_PPC64LE",
                    "SCMP_ARCH_RISCV64",
                    "SCMP_ARCH_S390",
                    "SCMP_ARCH_S390X",
                    "SCMP_ARCH_X32",
                    "SCMP_ARCH_X86",
                    "SCMP_ARCH_X86_64"
                ],
                "knownFlags": [
                    "SECCOMP_FILTER_FLAG_TSYNC",
                    "SECCOMP_FILTER_FLAG_SPEC_ALLOW",
                    "SECCOMP_FILTER_FLAG_LOG"
                ],
                "supportedFlags": [
                    "SECCOMP_FILTER_FLAG_TSYNC",
                    "SECCOMP_FILTER_FLAG_SPEC_ALLOW",
                    "SECCOMP_FILTER_FLAG_LOG"
                ]
            },
            "apparmor": {
                "enabled": true
            },
            "selinux": {
                "enabled": true
            },
            "intelRdt": {
                "enabled": true
            }
        },
        "annotations": {
            "io.github.seccomp.libseccomp.version": "2.5.4",
            "org.opencontainers.runc.checkpoint.enabled": "true",
            "org.opencontainers.runc.commit": "v1.1.0-534-g26851168",
            "org.opencontainers.runc.version": "1.1.0+dev"
        }
    },
    "Annotations": null
}

crun (prior to v1.8.6)

The Features property is null because crun features was not implemented until crun v1.8.6

$ sudo ctr task runtime-info --runc-binary=crun
{
    "Name": "io.containerd.runc.v2",
    "Version": {
        "Version": "v1.7.0-231-g36b30b3bb",
        "Revision": "v1.7.0-231-g36b30b3bb"
    },
    "Options": {
        "binary_name": "crun"
    },
    "Features": null,
    "Annotations": null
}

io.containerd.runsc.v1

Fails because containerd-shim-runsc-v1 -info is not implemented yet

$ sudo ctr task runtime-info --runtime=io.containerd.runsc.v1
ctr: rpc error: code = Unknown desc = failed to get runtime info for "io.containerd.runsc.v1": failed to run [/usr/local/bin/containerd-shim-runsc-v1 -info]: exit status 2 (stderr: "flag provided but not defined: -info\nUsage of /usr/local/bin/containerd-shim-runsc-v1:\n  -address string\n    \tgrpc address back to main containerd\n  -bundle string\n    \tpath to the bundle if not workdir\n  -debug\n    \tenable debug output in logs\n  -id string\n    \tid of the task\n  -namespace string\n    \tnamespace that owns the shim\n  -publish-binary string\n    \tpath to publish binary (used for publishing events) (default \"containerd\")\n  -socket string\n    \tsocket path to serve\n  -v\tshow the shim version and exit\n")

@AkihiroSuda AkihiroSuda added this to the 2.0 milestone May 11, 2023
@AkihiroSuda AkihiroSuda force-pushed the runtime-info branch 3 times, most recently from 9fcd53f to c9a386d Compare May 11, 2023 15:53
@AkihiroSuda AkihiroSuda mentioned this pull request May 11, 2023
Merged
@AkihiroSuda AkihiroSuda requested a review from dmcgowan May 16, 2023 03:02
@dmcgowan dmcgowan added the status/needs-discussion Needs discussion and decision from maintainers label May 17, 2023
mikebrow
mikebrow approved these changes May 26, 2023
View reviewed changes
Copy link
Member

@mikebrow mikebrow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM
noting that for k8s they would likely need to use the CRI api ContainerStatus() .. see crictl info for current example of verbose output. Both apis should return the same information.

@AkihiroSuda
Copy link
Member Author

LGTM noting that for k8s they would likely need to use the CRI api ContainerStatus() .. see crictl info for current example of verbose output. Both apis should return the same information.

In the CRI API, the runtime features are intended to be added to the StatusResponse message like this:
https://github.com/kubernetes/enhancements/pull/3858/files#diff-a5e3a174567e889120ab32af5f159c2bcddd459cc36abdf56f3eceb5ad86d6c5R446

@Iceber
Copy link
Member

Iceber commented May 30, 2023
edited
Loading

As a feature that runtime will call, the documentation can be updated to suggest that shim developers implement this flag
https://github.com/containerd/containerd/tree/main/runtime/v2#shim-authoring

@AkihiroSuda AkihiroSuda mentioned this pull request May 30, 2023
Merged
@AkihiroSuda
Copy link
Member Author

documentation

Added

@mikebrow
Copy link
Member

LGTM noting that for k8s they would likely need to use the CRI api .edited typo. Status() .. see crictl info for current example of verbose output. Both apis should return the same information.

In the CRI API, the runtime features are intended to be added to the StatusResponse message like this: https://github.com/kubernetes/enhancements/pull/3858/files#diff-a5e3a174567e889120ab32af5f159c2bcddd459cc36abdf56f3eceb5ad86d6c5R446

nod though it's called info command in crictl the api is cri Status() with StatusResponse message

@AkihiroSuda
Copy link
Member Author

@dmcgowan PTAL

@AkihiroSuda AkihiroSuda force-pushed the runtime-info branch 2 times, most recently from 4eba2c4 to 8aa955f Compare September 5, 2023 20:11
@AkihiroSuda
Copy link
Member Author

Rebased

@AkihiroSuda
Copy link
Member Author

/retest

@AkihiroSuda AkihiroSuda mentioned this pull request Sep 5, 2023
Merged
3 tasks
@dmcgowan
Copy link
Member

dmcgowan commented Sep 6, 2023

Could we consider adding this function to a new service definition rather than to task v1. We have rejected changes like this in the past because v1 task definition is stable and no plans for a task v2. I think we already need something like a runtime introspection API.

@AkihiroSuda
Copy link
Member Author

Could we consider adding this function to a new service definition rather than to task v1. We have rejected changes like this in the past because v1 task definition is stable and no plans for a task v2. I think we already need something like a runtime introspection API.

I’m not sure. I don’t feel the runtime info is decouplable from the task service.

rata
rata reviewed Sep 8, 2023
View reviewed changes
client.go
Annotations map[string]string
}

func (c *Client) RuntimeInfo(ctx context.Context, runtimePath string, runtimeOptions interface{}) (*RuntimeInfo, error) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure at which layer, but it would be nice to cache this info instead of running it every time.

If we require a containerd restart when you upgrade runc, it seems like a reasonable trade off IMHO.

What do you think?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd say caching is the caller's responsibility

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, not here in the client. But I mean, probably the runc manager can cache it, right? Or at some other layer we are modifying here?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Runc binary can be updated without restarting the daemon, so I don’t think the daemon should cache the info.

@AkihiroSuda
Copy link
Member Author

@dmcgowan What should we do with this?
Not sure how the runtime info can be decoupled from the task service.

@AkihiroSuda
api/services/task: add RuntimeInfo()
08f8bcb 
Use `ctr task runtime-info` to test this.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
@AkihiroSuda
Copy link
Member Author

Rebased

@AkihiroSuda
Copy link
Member Author

TODO: consider moving this to https://github.com/containerd/containerd/blob/main/api/services/introspection/v1/introspection.proto

@AkihiroSuda AkihiroSuda marked this pull request as draft October 5, 2023 17:49
@k8s-ci-robot
Copy link

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@AkihiroSuda AkihiroSuda mentioned this pull request Nov 30, 2023
Merged
@AkihiroSuda
Copy link
Member Author

New PR:

Moved the method from the task service to the introspection service.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Iceber Iceber Iceber left review comments

@rata rata rata left review comments

@mikebrow mikebrow mikebrow approved these changes

@dmcgowan dmcgowan Awaiting requested review from dmcgowan

Assignees
No one assigned
Labels
impact/changelog needs-rebase status/needs-discussion Needs discussion and decision from maintainers
Projects
None yet
Milestone
2.0
Development

Successfully merging this pull request may close these issues.
6 participants
@AkihiroSuda @Iceber @mikebrow @dmcgowan @k8s-ci-robot @rata