Add containerd config options #11080
Conversation
k8s-ci-robot
added
kind/feature
k8s-ci-robot
added
the
needs-ok-to-test
|
Hi @spnngl. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
size/S
| level = "{{ containerd_debug_level }}" | ||
| format = "{{ containerd_debug_format }}" | ||
|
|
There was a problem hiding this comment.
HI @spnngl
When using containerd config default, it outputs:
[debug]
address = ""
format = ""
gid = 0
level = ""
uid = 0
So, the default config should not be changed :-)
If we want to customize the config, we can use the code:
{% if containerd_debug_address %}
address = "{{ containerd_debug_address }}"
{% else %}
And the code in roles/container-engine/containerd/defaults/main.yml
# some comments...
# containerd_debug_address: "/var/run/containerd/debug.sock"
The same as the other variables.
Thanks
There was a problem hiding this comment.
Changed it in last push
There was a problem hiding this comment.
Hum, I really disagree with that. It's of little use to match the output of containerd config default, because it's not like we can use that directly in our jinja template, so we have to update mostly manually anyway if containerd defaults change.
I'd rather have explicit defaults and a more straightforward template, with as little branching as possible.
There was a problem hiding this comment.
I put containerd_debug_level back to its previous value and the others will be used only if defined by the user
There was a problem hiding this comment.
What I meant is that we should not have to use is defined everywhere, and keeping the same structure that the output of containerd config default buy us nothing, so we should just have something like:
{% if containerd_debug_enabled %}
[debug]
setting_1 = {{ containerd_default_value_for_setting_1 }}
...
{% endif %}
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
spnngl
force-pushed
the
chore/containerd/config
branch
from
12ed2f1 to
10ec72f
Compare
k8s-ci-robot
added
size/M
spnngl
force-pushed
the
chore/containerd/config
branch
3 times, most recently
from
72f332a to
66ca060
Compare
k8s-ci-robot
added
size/S
spnngl
force-pushed
the
chore/containerd/config
branch
from
66ca060 to
b2a8f7c
Compare
k8s-ci-robot
added
size/M
|
@spnngl please add a proper release note. |
|
I just added it to the release-note section of this PR |
| @@ -8,7 +8,19 @@ oom_score = {{ containerd_oom_score }} | |||
| max_send_message_size = {{ containerd_grpc_max_send_message_size }} | |||
|
|
|||
| [debug] | |||
There was a problem hiding this comment.
Unless I'm mistaken, the debug socket is not enabled if this section is not present.
IMO, this whole section should be guarded with something like containerd_enabled_debug_socket, defaulting to false.
Production setup should presumably not have a debug socket lying around.
There was a problem hiding this comment.
This section is already present in current kubespray config to customize log level
There was a problem hiding this comment.
The debug log level is not the same thing that the normal log level, is it not ?
I know that section is already present. What I mean is that it should not be enabled by default, as kubespray by default target production use cases, and having a debug socket enabled in production is not optimal.
There was a problem hiding this comment.
It set the log level for everything, not just debug ones.
Same for the log format inside it.
Do you still want to disable this section entirely with a containerd_enabled_debug bool ? And no if defined inside it ?
It takes the config.Debug.Level if no cli params is used, cli flags have higher priorities but we do not use them in kubespray.
func setLogLevel(context *cli.Context, config *srvconfig.Config) error {
l := context.GlobalString("log-level")
if l == "" {
l = config.Debug.Level
}
if l != "" {
return log.SetLevel(l)
}
return nil
}Config struct is found here and the debug section looks like this:
type Debug struct {
Address string `toml:"address"`
UID int `toml:"uid"`
GID int `toml:"gid"`
Level string `toml:"level"`
// Format represents the logging format. Supported values are 'text' and 'json'.
Format string `toml:"format"`
}There was a problem hiding this comment.
Wow, this is so weird (or I totally misunderstood something). Does that mean there is no way to change the log level from the config without enabling the debug socket ?
I mean, I assumed that the "normal" log stream (which I presume goes to standard output) and the "debug" log stream (to the debug socket) where different, but are they in fact the same ?
I've tried to check containerd documentation but couldn't find explanation about this.
That said, I still thinks we should not enable the debug socket in production, (unless the debug socket is an unfortunate naming and it's in fact required ?). Since we handle the generation of the systemd unit for containerd we could inject the log level as flags... 🤔
That does seems a bit weird from containerd though, I feel like I'm missing something.
There was a problem hiding this comment.
Having the [debug] section in the toml config does not mean we activate the debug socket.
It is only activated if config.Debug.Address != "", you can see the code here: https://github.com/containerd/containerd/blob/v1.7.16/cmd/containerd/command/main.go#L232
By default debug socket is always disabled.
if config.Debug.Address != "" {
var l net.Listener
if isLocalAddress(config.Debug.Address) {
if l, err = sys.GetLocalListener(config.Debug.Address, config.Debug.UID, config.Debug.GID); err != nil {
return fmt.Errorf("failed to get listener for debug endpoint: %w", err)
}
} else {
if l, err = net.Listen("tcp", config.Debug.Address); err != nil {
return fmt.Errorf("failed to get listener for debug endpoint: %w", err)
}
}
serve(ctx, l, server.ServeDebug)
}func isLocalAddress(path string) bool {
return filepath.IsAbs(path)
}It is exactly the same for the metrics one: https://github.com/containerd/containerd/blob/v1.7.16/cmd/containerd/command/main.go#L245
if config.Metrics.Address != "" {
l, err := net.Listen("tcp", config.Metrics.Address)
if err != nil {
return fmt.Errorf("failed to get listener for metrics endpoint: %w", err)
}
serve(ctx, l, server.ServeMetrics)
}There was a problem hiding this comment.
Ok, I think I got it, thanks for bearing with me (https://github.com/containerd/containerd/blob/main/docs/man/containerd-config.toml.5.md is not super helpful here !).
So, defining the address is what activate the debug socket, got it.
But according to the link above, it has a default value of /run/containerd/debug.sock, so it would be activated by default, is that correct ?
What I would do in that case is have in our defaults/main.yml something like that.
containerd_debug_enable: false
contaienrd_debug_address: '/run/containerd/debug.sock
# the rest of the value with default matching containerd And in the template something likg
[debug]
address = "{{ containerd_debug_enable | ternary(containerd_debug_address, '') }}"
# the rest of the valueswdyt ?
There was a problem hiding this comment.
The doc is misleading, it says it is enabled by default but it is not.
Here the config from a newly created node in my cluster
version = 2
root = "/var/lib/containerd"
state = "/run/containerd"
oom_score = 0
[grpc]
max_recv_message_size = 16777216
max_send_message_size = 16777216
[debug]
level = "info"
[metrics]
address = ""
grpc_histogram = false
[plugins]
[plugins."io.containerd.grpc.v1.cri"]
sandbox_image = "registry.k8s.io/pause:3.9"
max_container_log_line_size = -1
enable_unprivileged_ports = false
enable_unprivileged_icmp = false
[plugins."io.containerd.grpc.v1.cri".containerd]
default_runtime_name = "runc"
snapshotter = "overlayfs"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
runtime_type = "io.containerd.runc.v2"
runtime_engine = ""
runtime_root = ""
base_runtime_spec = "/etc/containerd/cri-base.json"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
systemdCgroup = true
binaryName = "/opt/bin/runc"No debug.sock is setup nor present on the node, it seems to default to "", we can check with /opt/bin/containerd config dump which gives us
[debug]
address = ""
format = ""
gid = 0
level = "info"
uid = 0We can setup it explicitely like you said, it may be less confusing for us and users.
There was a problem hiding this comment.
[debug]
address = ""
format = ""
gid = 0
level = "info"
uid = 0I think this would be an okay output when running with kubespray defaults, so yeah, let's go the explicit way (minus the enable which is not needed if we just default to "" for the address.
There was a problem hiding this comment.
I pushed my modifications
| # debug socket location: unix or tcp format | ||
| containerd_debug_address: "" | ||
| containerd_debug_level: "" | ||
| # logs format, supported values: text, json | ||
| containerd_debug_format: "" | ||
| containerd_debug_uid: 0 | ||
| containerd_debug_gid: 0 |
There was a problem hiding this comment.
I'd rather have some consistency here : either put the default for all settings, or for none.
And I'd lean towards documenting the defaults explicitely.
There was a problem hiding this comment.
I put it to the containerd config default as requested previously, I changed it back to what it was for containerd_debug_level and add the others only if they are defined by the user
| level = "{{ containerd_debug_level }}" | ||
| format = "{{ containerd_debug_format }}" | ||
|
|
There was a problem hiding this comment.
Hum, I really disagree with that. It's of little use to match the output of containerd config default, because it's not like we can use that directly in our jinja template, so we have to update mostly manually anyway if containerd defaults change.
I'd rather have explicit defaults and a more straightforward template, with as little branching as possible.
spnngl
force-pushed
the
chore/containerd/config
branch
from
b2a8f7c to
715f28e
Compare
|
Also, could you make the release note a bit more concise ? It's supposed to be a single line entry in a Releases Notes (example |
spnngl
force-pushed
the
chore/containerd/config
branch
from
715f28e to
5c2f11a
Compare
k8s-ci-robot
added
the
release-note
spnngl
force-pushed
the
chore/containerd/config
branch
from
5c2f11a to
a7b8474
Compare
spnngl
force-pushed
the
chore/containerd/config
branch
from
a7b8474 to
964fc23
Compare
|
@VannTen Hi, anything to add before merging ? |
|
Thanks @spnngl A great PR. /approve |
k8s-ci-robot
added
the
approved
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mzaian, spnngl, yankay The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
* chore(containerd): add some config debug options See: https://github.com/containerd/containerd/blob/v1.7.15/docs/man/containerd-config.toml.5.md * chore(containerd): add CRI config options See: https://github.com/containerd/containerd/blob/v1.7.15/docs/man/containerd-config.toml.5.md See: https://github.com/containerd/containerd/blob/v1.7.15/docs/cri/config.md
What type of PR is this?
/kind feature
What this PR does / why we need it:
Get more containerd configuration options, notably SElinux and debug socket.
Which issue(s) this PR fixes:
Fixes #11081
Special notes for your reviewer:
Does this PR introduce a user-facing change?: