KEP 4216: Implement support for image pull per runtime class #9832
Conversation
|
cc @shuaichang |
kiashok
force-pushed
the
allChanges-kep-4216
branch
from
cdb46e2 to
25884d1
Compare
|
Flicking through this, I noticed a couple of unremoved TODOs that I think are being resolved by the adjacent changes, and also (not in this PR, but while checking context) I think I saw some confusion between "runtime_platforms" and "runtime_platform" for the TOML config migration code, which might potentially cause unexpected failures when testing this work. (Also, is Anyway, so I better-understand, the approach being used here is to have the runtime handler config optionally include a platform string to override (Actually, if I'm browsing the code correctly, we don't provide a platform-per-handler, but have a mapping elsewhere in the config? I'm not sure what this looks like in the config file, once this has examples/docs added, that'll be clearer. I might be overlooking some code, I'm not super-familiar with the CRI plugin.) If I'm browsing this correctly, we can't provide a single runtime handler with multiple platforms either, which is a shame, but that's not being affected by this PR AFAICT. I don't think it does, but I wanted to confirm that this isn't blocking the idea of using different platform matchers for different runtime handlers, so that we can for example make |
Signed-off-by: Kirtana Ashok <kiashok@microsoft.com>
-Add platform image labels to transfer service and CRI functions to help indicate what platform the image is being pulled for. -Update containerd image store with imageID,repoDigest and repoTag when images are pulled with transfer service to keep the behavior in sync with CRIImageService.ImagePull() Signed-off-by: Kirtana Ashok <kiashok@microsoft.com>
- Honors runtimeHandler passed in CRI for image pull code paths - Extends basic functions needed to support having multiple platforms of the same image pulled in CRI image store. Signed-off-by: Kirtana Ashok <kiashok@microsoft.com>
Signed-off-by: Kirtana Ashok <kiashok@microsoft.com>
Signed-off-by: Kirtana Ashok <kiashok@microsoft.com>
- Reload images by supporting multi snapshotter and platform image labels. If an image has not been unpacked with any snapshotter, an attempt is made to remove that platform image label. Signed-off-by: Kirtana Ashok <kiashok@microsoft.com>
kiashok
force-pushed
the
allChanges-kep-4216
branch
from
25884d1 to
94ff140
Compare
@TBBle please refer to KEP https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/4216-image-pull-per-runtime-class#summary for details on this. |
|
@dims @dmcgowan @mikebrow @fuweid rebased the PR. Still waiting for the PR on containerd/platform containerd/platforms#6 to be merged. The first commit in this PR can be removed once that is done. Rest of the commits are ready to be reviewed. cc @estesp |
|
@kiashok: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
| } | ||
|
|
||
| for _, platform := range listOfPlatformsForImage { | ||
| images = append(images, NewImageWithPlatform(c, img, platforms.Only(platforms.MustParse(platform)))) |
There was a problem hiding this comment.
I think it's not a good to change basic API logic here. For containerd API, the image service already supports multiple platforms. It doesn't make sense to change here. We should add a wrapper function in CRI plugin side.
|
|
||
| // PlatformLabelPrefix is common prefix for indicating what platforms | ||
| // an image has been pulled for | ||
| PlatformLabelPrefix = "containerd.io/imagePulledForPlatform" |
There was a problem hiding this comment.
I'm not sure I follow the design here. Would we just use existing API to check the platform part?
IMO, it's hard to make sure that the existing data is consistent with label.
The user might use ctr or other tools to pull images and change the labels.
There was a problem hiding this comment.
I think just like how we add CRI image labels for images pulled through ctr, we should do the same for platform label as well. We need some way to track which platform the image is being pulled for as it is needed by ImageService.UpdateImage() that gets called after an event is published. An alternative was to store this information as an exclusive field in containerd image struct but feedback given was that runtimehandler/platform info is specific to CRI and should not be saved to core containerd structures. Therefore, labels are the only alternative to achieve this.
|
I've started testing this PR as it is, and I will start dropping comments as I face issues. The first one, building containerd: Basically, Maybe this would be what we're looking for? A second thing here, that I was aware it wasn't being focused on this PR, but we'll need to take into consideration. This PR is proposing a mapping between an Image and the Platform, but we may still get to the case that one specific Platform uses different snapshotters there. In case of linux/amd64, for instance, we may use overlayfs for vanilla container runtimes, but add devmapper / nydus for kata-containers / confidential-containers. Then, what I'd expect as a user, that if user U1 schedules an nginx pod to run with runc (using overlayfs), and user U2 schedules an nginx pod to run with kata-containers (using nydus, in my tests), containerd would have a way to distinguish between the images used by each specific snapshotter. This is not the case right now in the current upstream codebase, neither with this patch applied. After starting an nginx pod with runc, and then trying to start the same pod with Kata Containers, I get the following error: This is happening because, even nydus being properly set up and configured, containerd will assume that the already downloaded and cached, using overlayfs, "pause" and "nginx" images are returned instead of actually triggering a PullImage for the correct snapshotter. |
+1 here. We also have use cases where using different snapshotters on the same platform, but under different runtime handlers. Can we instead maintain a mapping between image and runtime handlers? |
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
| // Ref of the image | ||
| Ref string | ||
| // Runtimehandler used for pulling this image | ||
| Platform string |
There was a problem hiding this comment.
The comment mentions RuntimeHandler, but it seems we're using platform everywhere.
Shouldn't this actually be RuntimeHandler and we should ensure that the RuntimeHandler is actually used?
The same comment goes for the ImageIDKey struct and how it's used.
There was a problem hiding this comment.
No we moved away from the design of storing the runtimeHandler as it was making changes to core containerd packages which we did not want to do ahead with. This comment needs to be updated to "Platform used for pulling this image". Will address this and push new changes.
Please check the changes made in check.go . The platform associated with an image MAY map to multiple runtime handlers and the associated snapshotter with that runtime handler. Therefore, we go through the list of runtime handlers during reload time to ensure we unpack for the different snapshotters. If an image was not unpacked for a particular snapshotter, this will fail and we will continue with the rest of runtime handlers whose platform matches the image's platform.
If I understand the example you are talking about, I think the above response applies to this as well. If I have missed something, please let me know. |
please refer to #9832 (comment) |
I have a couple of questions/concerns about this:
|
Thanks for the explanation. I understand the concern of introducing runtime handler concept to the core. Just wanted to bring up a use case from my side and I really hope this scenario can be supported by this patch. We have use cases that requires mapping of runtime classes to different snapshotters. In our setup the runtime classes (snapshotters) will share the same platform. Hope this scenario could be put into consideration in the design. |
I don't think we should combine any already existing containerd bugs to this PR changes. Could you please track them separately by opening github issues on containerd? I think with the annotation approach you are trying, existing containerd changes should support it. I think we are trying to mix up too many things here. |
|
This PR is stale because it has been open 90 days with no activity. This PR will be closed in 7 days unless new comments are made or the stale label is removed. |
|
Discussed a newer approach with Derek and since it is significantly different from the approach taken here, sent out a new PR #10533 |
This PR implements the main logic needed to support image pull per runtime class.
In K8s v1.29 CRI, a new field for RuntimeHandler was added in the ImageSpec struct. We should honor this field during image pull, image remove and containerd restart and ensure that image is pulled for the appropriate platform
With this feature, an image can now exist for multiple platforms. Therefore, a new platform label is added to every containerd image to indicate the platform that the image exists for.
With these changes, an image in CRI will now be referenced as a tuple of (imageID/imageName, platform) instead of just the imageName or imageID.
CRIImageService.RemoveImage() :
ReloadImages(): When containerd is restarted, CRI's image cache is updated from reading containerd's image store. When containerd is started the CRIImageService.ImagePlatforms field could have been updated in containerd.toml. Therefore, on the reload it is important for us to parse every platform image label and try unpack on compatible snapshotters for this image. If the image could not be unpacked with any such snapshotter, then we attempt to cleanup by removing this platform image label from the containerd image.
P.S. :
The first commit is merely a cherry-pick of PR that is currently in review in containerd/platform.
This PR has two sign offs and waiting to be merged.
Add format for platform string platforms#6
Tests to verify new functionality will be added to this PR once there is consensus on this approach.