Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pre-install: Create containerd config it it doesn't exist #273

Merged
merged 1 commit into from
Oct 27, 2023
Merged

pre-install: Create containerd config it it doesn't exist #273

merged 1 commit into from
Oct 27, 2023

Conversation

fidencio
Copy link
Member

We're relying here on containerd being on /usr/local/bin/, which we do have access to, in order to create such config.

We're creating the config as the first thing on the script, as we don't want to get into the situation where a configuration was added / removed and we end up with that in the system due to us using a newer version of containerd than the one present in the system.

We may face more issues in the future, such as:

  • containerd is only in /usr/bin/
    • We can start exposing this as a host path mount, but let's not do it unless it becomes necessary
  • when CRI-O is supported, this file should only be created in case containerd is used

However, for now, let's go with this approach and avoid users hitting a possible error due to the lack of contained configuration.

Fixes: #271

@fidencio
Copy link
Member Author

/test

@fidencio
Copy link
Member Author

/cc @stevenhorsman @fitzthum

stevenhorsman
stevenhorsman reviewed Oct 27, 2023
View reviewed changes
Copy link
Member

@stevenhorsman stevenhorsman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you are already aware of this, but when I building the image and testing out the code it created the /etc/containerd/config.toml, but it had no content

@fidencio fidencio marked this pull request as draft October 27, 2023 15:23
@fidencio fidencio force-pushed the topic/create-containerd-config-if-it-does-not-exist branch from 4382f2f to 47e3d28 Compare October 27, 2023 15:52
@fidencio
pre-install: Create containerd config it it doesn't exist
150d381 
We're relying here on containerd being on /usr/local/bin/, which we do
have access to, in order to create such config.

We're creating the config as the first thing on the script, as we don't
want to get into the situation where a configuration was added / removed
and we end up with that in the system due to us using a newer version of
containerd than the one present in the system.

We may face more issues in the future, such as:
* containerd is only in /usr/bin/
  * We can start exposing this as a host path mount, but let's not do it
    unless it becomes necessary
* when CRI-O is supported, this file should only be created in case
  containerd is used

However, for now, let's go with this approach and avoid users hitting a
possible error due to the lack of contained configuration.

Fixes: confidential-containers#271

Signed-off-by: Fabiano Fidêncio <[email protected]>
@fidencio fidencio force-pushed the topic/create-containerd-config-if-it-does-not-exist branch from 47e3d28 to 150d381 Compare October 27, 2023 15:53
@fidencio
Copy link
Member Author

I think you are already aware of this, but when I building the image and testing out the code it created the /etc/containerd/config.toml, but it had no content

That was happening due to the lack of gcompat installed in the pre-reqs base image, which is based on alpine.

@fidencio fidencio marked this pull request as ready for review October 27, 2023 15:55
stevenhorsman
stevenhorsman approved these changes Oct 27, 2023
View reviewed changes
Copy link
Member

@stevenhorsman stevenhorsman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is working for me now. On my system that wasn't using a containerd config I

  • Rebuild the req payload and pushed it to quay, then updated the peer-pod cc runtime kustomize to use that as a new image
  • I ssh'd into my worker node and confirmed that the /etc/containerd was empty:
ls -al /etc/containerd/
total 8
drwxr-xr-x  2 root root 4096 Oct 27 15:58 .
drwxr-xr-x 97 root root 4096 Oct 27 15:59 ..
  • I deployed the CoCo manager and my peer pods CC runtime an waited for the pre-install-daemon to be running
  • I re-checked the directory in my worker and the new file existed and was non-empty now:
 ls -al /etc/containerd/
total 20
drwxr-xr-x  3 root root 4096 Oct 27 16:13 .
drwxr-xr-x 97 root root 4096 Oct 27 15:59 ..
-rw-r--r--  1 root root 7911 Oct 27 16:13 config.toml
drwxr-xr-x  2 root root 4096 Oct 27 16:13 config.toml.d
root@sh-sm-z-cluster-2023-10-26-node-1:~# cat /etc/containerd/config.toml
disabled_plugins = []
imports = ["/etc/containerd/config.toml.d/nydus-snapshotter.toml"]
oom_score = 0
plugin_dir = ""
required_plugins = []
root = "/var/lib/containerd"
state = "/run/containerd"
...

Thanks a lot for the fix!

fitzthum
fitzthum approved these changes Oct 27, 2023
View reviewed changes
Copy link
Member

@fitzthum fitzthum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@fidencio
Copy link
Member Author

/test

@fidencio fidencio merged commit fad6ef4 into confidential-containers:main Oct 27, 2023
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stevenhorsman stevenhorsman stevenhorsman approved these changes

@fitzthum fitzthum fitzthum approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Take into consideration that /etc/containerd/config.toml may not exists
3 participants
@fidencio @fitzthum @stevenhorsman