-
Notifications
You must be signed in to change notification settings - Fork 3.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use sandboxed CRI by default #8994
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. We likely also should update the prow jobs so we can have both enabled and disabled modes tested for e2e.
CI does not like this. |
oof yea, all seem to be:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just a couple nits..
pkg/cri/cri.go
Outdated
if os.Getenv("ENABLE_CRI_SANDBOXES") != "" { | ||
log.G(ctx).Info("using experimental CRI Sandbox server - unset ENABLE_CRI_SANDBOXES to disable") | ||
if os.Getenv("DISABLE_CRI_SANDBOXES") == "" { | ||
log.G(ctx).Info("using experimental CRI Sandbox server - use DISABLE_CRI_SANDBOXES=1 to fallback to legacy CRI") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
log.G(ctx).Info("using experimental CRI Sandbox server - use DISABLE_CRI_SANDBOXES=1 to fallback to legacy CRI") | |
log.G(ctx).Info("using CRI Sandbox server - use DISABLE_CRI_SANDBOXES=1 to fallback to legacy CRI") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably this should be Debug()
log
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if so.. catch the else case log below
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Debug
is disabled by default on production environments, I think it'd good to keep it visible to raise awareness that we substitute CRI implementation? We can remove this in 2.1 with the legacy CRI.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
more changes needed
https://github.com/containerd/containerd/blob/main/containerd.service#L22
https://github.com/containerd/containerd/blob/main/Vagrantfile#L275
https://github.com/containerd/containerd/blob/main/contrib/Dockerfile.test#L97
https://github.com/containerd/containerd/blob/main/integration/sandbox_run_rollback_test.go#L296
https://github.com/containerd/containerd/blob/main/pkg/cri/config/config.go#L81
https://github.com/containerd/containerd/blob/main/script/test/cri-integration.sh#L47-L49
https://github.com/containerd/containerd/blob/main/script/test/utils.sh#L218-L220
noting over on the k8s side.. https://github.com/kubernetes/test-infra/blob/dc4b748b13259a634c779c0d6d0c11b976dc9d33/config/jobs/containerd/containerd/containerd-presubmit-jobs.yaml#L212-L213 |
Signed-off-by: Maksym Pavlenko <[email protected]>
Signed-off-by: Maksym Pavlenko <[email protected]>
Recently, in the containerd `main` branch, the following PR was merged: containerd/containerd#8994 This makes containerd to use the new sandboxes CRI, by default. From my observations, this is causing some issues with `kubectl exec` with Kubernetes latest `master` branch code, deployed with containerd latest `main` branch code. Fallback to the legacy CRI implementation via `DISABLE_CRI_SANDBOXES=1`, until this issue is fixed. This will be a NOOP for stable containerd deployments. Signed-off-by: Ionut Balutoiu <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed
This will use the sandboxed CRI by default leaving an option to fallback to the legacy implementation via
DISABLE_CRI_SANDBOXES
env.