Use internal CRI resource conversion functions instead of
the ones which were recently dropped from core NRI to get
rid of a direct NRI dependency on CRI.
Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
This was producing different metric names which can break metric
collection. Reverting to the previous "cri" subsystem so metrics are
consistent across 1.X and 2.X.
Signed-off-by: Chris Henzie <chrishenzie@google.com>
- adds a transfer service progress reporter to handle timeouts. Also other test fixes
- fallback to local image pull when configuration conflict
Signed-off-by: Tony Fang <nhfang@amazon.com>
Co-authored-by: Swagat Bora <sbora@amazon.com>
- internal/cri/bandwidth: use lazyregexp to compile regexes on first use
- pkg/identifiers: use lazyregexp to compile regexes on first use
- pkg/progress: use lazyregexp to compile regexes on first use
- pkg/reference: use lazyregexp to compile regexes on first use
- pkg/sys: use lazyregexp to compile regexes on first use
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Based on the "lazyregexp" package in golang.org/x/mod;
https://cs.opensource.google/go/x/mod/+/refs/tags/v0.19.0:internal/lazyregexp/lazyre.go;l=66-78
This package allows defining regular expressions that should not be
compiled until used, but still providing validation to prevent
invalid regular expressions from producing a panic at runtime.
The lazyregexp package provides a subset of the methods provided
by "regexp" and only implements the methods used in the codebase.
Additional methods can be added when needed.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Avoid introducing utils package outside of internal. This package
should not be imported by other modules.
Signed-off-by: Derek McGowan <derek@mcg.dev>
This patch changes `criService.runtimeHandlers` from
a slice to a map, so we don't need to for-loop slice
in `createContainer`.
It also refactors `introspectRuntimeHandler` a bit
so it can be called given a single `config.Runtime`.
This will help implement extracting runtime config
to separate files (https://github.com/containerd/containerd/issues/9296)
Signed-off-by: Jin Dong <djdongjin95@gmail.com>
Schema 1 (`application/vnd.docker.distribution.manifest.v1+prettyjws`) has been
officially deprecated since containerd v1.7 (PR 6884), and disabled since v2.0 (PR 9765).
Users who have been seeing warnings like `conversion from schema 1 images is deprecated`
now have to rebuild the image with Schema 2 or OCI.
Schema 2 was introduced in Docker 1.10 (Feb 2016), so most users should have been already
using Schema 2 or OCI.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Set up NRI container adjustment with an extra option, allowing
NRI plugins to inject devices using CDI.
Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
Currently `cri.config.headers` is only added
to registry requests (manifests/blobs), but not
the auth requests.
This patch fixed it by passing `cri.config.headers`
when we create `DockerAuthorizer`.
Signed-off-by: Jin Dong <djdongjin95@gmail.com>
Unmounting a writable overlayfs can trigger [syncfs][1], causing I/O pressure
and impacting running containers. If possible, we should apply volatile
option to image volume mount.
REF:
[1]: https://github.com/containerd/containerd/pull/6478
Signed-off-by: Wei Fu <fuweid89@gmail.com>
To make it as DEPRECATED, this PR does the following:
1. Changes config default to use `NetworkPluginBinDirs`;
2. Mark `NetworkPluginBinDir` as deprecated (in config version 3);
3. Add config migration from 2 to 3, which migrates `bin_dir`
in version 2 to `bin_dirs` in version 3.
Signed-off-by: Jin Dong <djdongjin95@gmail.com>
[wip] add deprecation warning
Signed-off-by: Jin Dong <djdongjin95@gmail.com>
This implements container restore as described in:
https://kubernetes.io/blog/2022/12/05/forensic-container-checkpointing-alpha/#restore-checkpointed-container-standalone
For detailed step by step instruction also see contrib/checkpoint/checkpoint-restore-cri-test.sh
The code changes are based on changes I have done in Podman around 2018
and CRI-O around 2020.
The history behind restoring container via CRI/Kubernetes probably
requires some explanation. The initial proposal to bring
checkpoint/restore to Kubernetes was looking at pod checkpoint and
restoring and the corresponding CRI changes.
https://github.com/kubernetes-sigs/cri-tools/pull/662https://github.com/kubernetes/kubernetes/pull/97194
After discussing this topic for about two years another approach was
implemented as described in KEP-2008:
https://github.com/kubernetes/enhancements/issues/2008
"Forensic Container Checkpointing" allowed us to separate checkpointing
from restoring. For the "Forensic Container Checkpointing" it is enough
to create a checkpoint of the container. Restoring is not necessary as
the analysis of the checkpoint archive can happen without restoring the
container.
While thinking about a way to restore a container it was by coincidence
that we started to look into restoring containers in Kubernetes via
Create and Start. The way it was done in CRI-O is to figure out during
Create if the container image is a checkpoint image and if that is true
we are using another code path. The same was implemented now with this
change in containerd.
With this change it is possible to restore the container from a
checkpoint tar archive that is created during checkpointing via CRI.
To restore a container via Kubernetes we convert the tar archive to an
OCI image as described in the kubernetes.io blog post from above. Using
this OCI image it is possible to restore a container in Kubernetes.
At this point I think it should be doable to restore containers in
CRI-O and containerd no matter if they have been created by containerd or
CRI-O. The biggest difference is the container metadata and that can
be adapted during restore.
Open items:
* It is not clear to me why restoring a container in containerd goes
through task/Create(). But as the restore code already exists this
change extended the existing code path to restore a container in
task/Create() to also restore a container through the CRI via
Create and Start.
* Automatic image pulling. containerd does not pull images
automatically if created via the CRI. There is an option in
crictl to pull images before starting, but that uses the CRI
image pull interface. It is still a separate pull and create
operation. Restoring containers from an OCI image is a bit
different. The checkpoint OCI image does not include the base
image, but just a reference to the image (NAME@DIGEST).
Using crictl with pulling will enable the pulling of the
checkpoint image, but not of the base image the checkpoint is
based on. So during preparation of the checkpoint containerd
will automatically pull the base image, but I was not able how
to pull an image blockingly in containerd. So there is a for
loop waiting for the container image to appear in the internal
store. I think this probably can be implemented better.
Anyway, this is a first step towards container restored in Kubernetes
when using containerd.
Signed-off-by: Adrian Reber <areber@redhat.com>
Block the synchronization of registering NRI plugins during
CRI events to avoid the plugin ending up in an inconsistent
starting state after initial sync (missing pods, containers
or missed events for some pods or containers).
Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>