do-not-merge: This will be used to test the kata-containers CI related stuff #263
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nydus-snapshotter / nydus will be used to get rid of the containerd fork we have, allowing us to do both the image pulling on the host side and inside the guest. NOTE: This PR should NOT be merged as it's, as it breaks s390x payload build. Signed-off-by: ChengyuZhu6 <[email protected]> Signed-off-by: Fabiano Fidêncio <[email protected]>
Signed-off-by: Fabiano Fidêncio <[email protected]>
|
/test |
3 similar comments
|
/test |
|
/test |
|
/test |
|
/test |
|
/test-tdx |
|
/test |
fidencio
force-pushed
the
topic/test-kata-ci-stuff
branch
from
1d25728 to
3843fae
Compare
|
/test |
2 similar comments
|
/test |
|
/test |
|
/test-tdx |
|
/test-tdx |
fidencio
force-pushed
the
topic/test-kata-ci-stuff
branch
from
35fc2e5 to
ebc29f9
Compare
|
/test |
1 similar comment
|
/test |
fidencio
force-pushed
the
topic/test-kata-ci-stuff
branch
from
583b325 to
e71a696
Compare
|
/test |
|
@fidencio thanks for adding snapshotter to operator in this, I know this is still in progress, I want to add some of my findings when try it in my local to eliminate potential problems. As I tried in my local, we should only enable I guess which is because it makes mess when both runc and kata pods are referring to same image, which I think is always true for
Sorry for the disturb if you have tried/knew it already. |
|
@huoqifeng, first of all, thanks a whole lot for taking some time to test it out with the remote hypervisor! This is what the Operator is deploying as the containerd configuration: https://gist.github.com/fidencio/3b9f1f8049d1b1b43b6c976987f497c9#file-containerd-config-toml-L225-L228 The important parts are:
[proxy_plugins]
[proxy_plugins.nydus]
type = "snapshot"
address = "/run/containerd-nydus/containerd-nydus-grpc.sock"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
base_runtime_spec = ""
cni_conf_dir = ""
cni_max_conf_num = 0
container_annotations = []
pod_annotations = []
privileged_without_host_devices = false
runtime_engine = ""
runtime_path = ""
runtime_root = ""
runtime_type = "io.containerd.runc.v2"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
BinaryName = ""
CriuImagePath = ""
CriuPath = ""
CriuWorkPath = ""
IoGid = 0
IoUid = 0
NoNewKeyring = false
NoPivotRoot = false
Root = ""
ShimCgroup = ""
SystemdCgroup = false
[plugins."io.containerd.grpc.v1.cri".containerd.default_runtime]
base_runtime_spec = ""
cni_conf_dir = ""
cni_max_conf_num = 0
container_annotations = []
pod_annotations = []
privileged_without_host_devices = false
runtime_engine = ""
runtime_path = ""
runtime_root = ""
runtime_type = ""
[plugins."io.containerd.grpc.v1.cri".containerd.default_runtime.options]
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.kata]
runtime_type = "io.containerd.kata.v2"
snapshotter = "nydus"
privileged_without_host_devices = true
pod_annotations = ["io.katacontainers.*"]
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.kata.options]
ConfigPath = "/opt/kata/share/defaults/kata-containers/configuration.toml"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.kata-clh]
runtime_type = "io.containerd.kata-clh.v2"
snapshotter = "nydus"
privileged_without_host_devices = true
pod_annotations = ["io.katacontainers.*"]
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.kata-clh.options]
ConfigPath = "/opt/kata/share/defaults/kata-containers/configuration-clh.toml"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.kata-clh-tdx]
runtime_type = "io.containerd.kata-clh-tdx.v2"
snapshotter = "nydus"
privileged_without_host_devices = true
pod_annotations = ["io.katacontainers.*"]
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.kata-clh-tdx.options]
ConfigPath = "/opt/kata/share/defaults/kata-containers/configuration-clh-tdx.toml"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.kata-qemu]
runtime_type = "io.containerd.kata-qemu.v2"
snapshotter = "nydus"
privileged_without_host_devices = true
pod_annotations = ["io.katacontainers.*"]
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.kata-qemu.options]
ConfigPath = "/opt/kata/share/defaults/kata-containers/configuration-qemu.toml"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.kata-qemu-tdx]
runtime_type = "io.containerd.kata-qemu-tdx.v2"
snapshotter = "nydus"
privileged_without_host_devices = true
pod_annotations = ["io.katacontainers.*"]
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.kata-qemu-tdx.options]
ConfigPath = "/opt/kata/share/defaults/kata-containers/configuration-qemu-tdx.toml"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.kata-qemu-sev]
runtime_type = "io.containerd.kata-qemu-sev.v2"
snapshotter = "nydus"
privileged_without_host_devices = true
pod_annotations = ["io.katacontainers.*"]
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.kata-qemu-sev.options]
ConfigPath = "/opt/kata/share/defaults/kata-containers/configuration-qemu-sev.toml"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.kata-qemu-snp]
runtime_type = "io.containerd.kata-qemu-snp.v2"
snapshotter = "nydus"
privileged_without_host_devices = true
pod_annotations = ["io.katacontainers.*"]
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.kata-qemu-snp.options]
ConfigPath = "/opt/kata/share/defaults/kata-containers/configuration-qemu-snp.toml"These configs worked for me in a very simple set of tests I ran, but we're still facing issues in the CI (which I'm debugging as we speak). @huoqifeng, just to confirm, the configurations match with yours, correct? |
|
Also, for reference, for the nydus-snapshotter, the way we're deploying it is basically putting the binary on the host, and also adding a new systemd service, which we simply make it enabled. Here's the systemd unit: The important parts here are the:
|
|
@fidencio I'm not using a completely installation but just |
|
/test |
|
Okay, I had a really good debug session with @stevenhorsman, where we could notice at least 2 issues coming from the kata-containers side:
With that we got more green tests on this front, and here's where I call it a week. @stevenhorsman will talk to Ding and PRs will be opened by Tomorrow, and on Monday I'll get back to this. @stevenhorsman, sincerely, thanks a lot for the help! |
|
/test |
1 similar comment
|
/test |
fidencio
force-pushed
the
topic/test-kata-ci-stuff
branch
from
106e445 to
a16f423
Compare
|
/test |
1 similar comment
|
/test |
Signed-off-by: Fabiano Fidêncio <[email protected]>
We're facing some errors in the CI (which I'm not able to reproduce locally) when trying to build the s390x image. Let's skip it for now just for the sake of having something tested. Signed-off-by: Fabiano Fidêncio <[email protected]>
As we want to start testing and shipping with nydus / upstream containerd. Signed-off-by: Fabiano Fidêncio <[email protected]>
This is used in the install_nydus_snapshotter_artefacts() function without being declared. Signed-off-by: Fabiano Fidêncio <[email protected]>
For now we're only using nydus, let's make sure to set it properly instead of depending on a non-existent env var. Signed-off-by: Fabiano Fidêncio <[email protected]>
Now that we're relying on it. Signed-off-by: Fabiano Fidêncio <[email protected]>
We will do it in a better way, rather than hardcoding it here, but for now we want to know whether tests will pass with it on. Signed-off-by: Fabiano Fidêncio <[email protected]>
This needs to be dropped, but it allows us to keep testing. There's an error, still to be debugged, as the snapshotter is not being properly set with the current operator logic. Signed-off-by: Fabiano Fidêncio <[email protected]>
Signed-off-by: Fabiano Fidêncio <[email protected]>
Signed-off-by: Fabiano Fidêncio <[email protected]>
Signed-off-by: Fabiano Fidêncio <[email protected]>
Let's rely on containerd's drop-in stuff, as it makes things way easier for us than relying on (even more) seds all over the place. Signed-off-by: Fabiano Fidêncio <[email protected]>
Signed-off-by: Fabiano Fidêncio <[email protected]>
Signed-off-by: Fabiano Fidêncio <[email protected]>
Signed-off-by: Fabiano Fidêncio <[email protected]>
Please, see: kata-containers/tests#5785 Signed-off-by: Fabiano Fidêncio <[email protected]>
fidencio
force-pushed
the
topic/test-kata-ci-stuff
branch
from
964a694 to
40787c9
Compare
|
/test |
2 similar comments
|
/test |
|
/test |
|
I'm closing this one as #267 got merged. |
|
Why is it necessary to use "/usr/bin/containerd + /opt/confidential-containers/bin/containerd-nydus-grpc" instead of "/opt/confidential-containers/bin/containerd" by default from v0.7.0 to v0.8.0? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.