A more easy way to setup nydus snapshotter by DaemonSet #570
Conversation
Add comments for fs_driver on snapshotter config. Signed-off-by: ChengyuZhu6 <[email protected]>
ChengyuZhu6
changed the title
|
@ChengyuZhu6 Thanks for your great work! It will take some time to review. |
|
It seems to break some tests, let's take a look first. |
|
Cloud we enhance the helm chart? We can provide the options to configure the snapshotter |
Yes, I plan to use helm for installing snapshotter, but it requires a different repo. So I have proposed an alternative method that does not rely on helm. Next, I will submit a PR to the helm repo. |
|
It seems the CI still needs to be fixed: https://github.com/containerd/nydus-snapshotter/actions/runs/7269460179/job/19807116165?pr=570 :) |
misc/snapshotter/Dockerfile
Outdated
| @@ -26,6 +26,14 @@ COPY containerd-nydus-grpc /usr/local/bin/ | |||
| RUN chmod +x /usr/local/bin/containerd-nydus-grpc | |||
| COPY nydusd-config.fusedev.json /etc/nydus/config.json | |||
| COPY nydusd-config-localfs.json /etc/nydus/localfs.json | |||
| COPY nydusd-config.fusedev.json /etc/nydus/nydusd-fusedev.json | |||
| COPY nydusd-config-localfs.json /etc/nydus/nydusd-localfs.json | |||
There was a problem hiding this comment.
nydusd-config-localfs.json is copied twice (likewise nydusd-config.fusedev.json);
Maybe it can be copied to /etc/nydus/nydusd-localfs.json only, then create a /etc/nydus/localfs.json symlink
misc/snapshotter/Dockerfile
Outdated
| COPY config-proxy.toml /etc/nydus/config-proxy.toml | ||
| COPY config-fscache.toml /etc/nydus/config-fscache.toml | ||
| COPY config-fusedev.toml /etc/nydus/config-fusedev.toml | ||
|
|
||
| COPY entrypoint.sh / | ||
|
|
There was a problem hiding this comment.
Regarding the renaming of config-coco-host-sharing.toml → misc/snapshotter/config-blockdev.toml and ...napshotter/config-coco-guest-pulling.toml → misc/snapshotter/config-proxy.toml , would make sense to add the kata- filename prefix because they should be used with kata containers?
misc/snapshotter/snapshotter.sh
Outdated
| fscache) SNAPSHOTTER_CONFIG="${NYDUS_CONFIG_DIR}/config-fscache.toml" ;; | ||
| blockdev) SNAPSHOTTER_CONFIG="${NYDUS_CONFIG_DIR}/config-blockdev.toml" ;; | ||
| proxy) SNAPSHOTTER_CONFIG="${NYDUS_CONFIG_DIR}/config-proxy.toml" ;; | ||
| *) die "invalid fs driver" ;; |
There was a problem hiding this comment.
I suggest to log the name of the invalid driver, e.g., invalid fs driver: ${FS_DRIVER}
misc/snapshotter/Dockerfile
Outdated
|
|
||
| FROM alpine:3.17.0 | ||
|
|
||
| WORKDIR /root/ | ||
|
|
||
| RUN apk add --no-cache libc6-compat | ||
| RUN apk add --no-cache libc6-compat bash jq |
There was a problem hiding this comment.
Hi @ChengyuZhu6 ! I'm not sure if you are aware of but we have found an issue while using toml-cli on kata containers that was corrupting the containerd's configuration file. @fidencio gave some details in kata-containers/kata-containers#8679 (comment) but it turns out you must ensure jq > 1.7 is installed. Here is how it was solved on kata side: kata-containers/kata-containers@41320c5
There was a problem hiding this comment.
Hey @wainersm. Thanks for your review. Here we use toml-cli , not tomlq.
There was a problem hiding this comment.
oh, I was wondering why the binary is named toml rather than tomlq and that explains :)
misc/snapshotter/snapshotter.sh
Outdated
| local key="$1" | ||
| local value="$2" | ||
| local file="${3:-$SNAPSHOTTER_CONFIG}" | ||
| toml set --overwrite "$file" "$key" $value |
misc/snapshotter/snapshotter.sh
Outdated
| update_toml_config "experimental.tarfs.mount_tarfs_on_host" "$MOUNT_TARFS_ON_HOST" | ||
| update_toml_config "experimental.tarfs.export_mode" "$EXPORT_MODE" | ||
| ;; | ||
| *) die "invalid fs driver in options_handler" ;; |
misc/snapshotter/snapshotter.sh
Outdated
| elif toml check $CONTAINER_RUNTIME_CONFIG "proxy_plugins.nydus" >/dev/null; then | ||
| echo "the config has configured the nydus proxy plugin!" | ||
| else | ||
| die "there is another proxy plugin in the containerd!" |
There was a problem hiding this comment.
Thanks for your reminder, I have fixed it.
misc/snapshotter/snapshotter.sh
Outdated
| if toml check $CONTAINER_RUNTIME_CONFIG "proxy_plugins" >/dev/null; then | ||
| if [ "$(toml get $CONTAINER_RUNTIME_CONFIG proxy_plugins | jq length)" == "0" ]; then | ||
| echo "there is no proxy plugin!" | ||
| cat <<EOF >>"$CONTAINER_RUNTIME_CONFIG" |
There was a problem hiding this comment.
is it possible to add the proxy_plugins entire section with toml instead of cat?
Maybe have a variable to hold /run/containerd-nydus/containerd-nydus-grpc.sock?
There was a problem hiding this comment.
Maybe have a variable to hold /run/containerd-nydus/containerd-nydus-grpc.sock?
Fixed.
There was a problem hiding this comment.
is it possible to add the proxy_plugins entire section with toml instead of cat?
I don't think that's possible due to a limitation on the toml-cli.
misc/snapshotter/snapshotter.sh
Outdated
| EOF | ||
| fi | ||
|
|
||
| update_toml_config "plugins.\"io.containerd.grpc.v1.cri\".containerd.discard_unpacked_layers" false "${CONTAINER_RUNTIME_CONFIG}" |
There was a problem hiding this comment.
Mind to document why nydus-snapshotter needs those two configurations enabled?
misc/snapshotter/snapshotter.sh
Outdated
| update_toml_config "plugins.\"io.containerd.grpc.v1.cri\".containerd.snapshotter" "nydus" "${CONTAINER_RUNTIME_CONFIG}" | ||
| fi | ||
|
|
||
| nsenter -t 1 -m systemctl -- restart containerd.service |
There was a problem hiding this comment.
Should it wait containerd to restart then check it is running properly again?
There was a problem hiding this comment.
Yes, please, I second Wainer's request on this, as we faced issues where containerd would simply be off after some changes.
| @@ -154,3 +154,21 @@ function deploy_snapshotter() { | |||
| configure_snapshotter | |||
| ${COMMANDLINE} & | |||
| } | |||
|
|
|||
| function cleanup_snapshotter() { | |||
| pid=$(ps -ef | grep containerd-nydus-grpc | grep -v grep | awk '{print $1}') | |||
There was a problem hiding this comment.
I suspect that you can use $SNAPSHOTTER_BINARY. Something like:
pid=$(pidof -s "$SNAPSHOTTER_BINARY" || true)
BTW, I'm a little confused here... is the snapshotter daemon running on the host or within the daemonset container? If the former then it needs to run the command with nsenter, right?
There was a problem hiding this comment.
It would running in the daemonset.
There was a problem hiding this comment.
I have changed the logic so that the snapshotter runs on the host and can be as a systemd service.
| pid=$(ps -ef | grep containerd-nydus-grpc | grep -v grep | awk '{print $1}') | ||
| if [ ! -z "$pid" ]; then | ||
| for i in $(nsenter -t 1 -m ctr -n k8s.io snapshot --snapshotter nydus list | grep -v KEY | cut -d' ' -f1); do | ||
| nsenter -t 1 -m ctr -n k8s.io snapshot --snapshotter nydus rm $i || true |
There was a problem hiding this comment.
I suppose this operation can fail if a running pod has used the snapshot. Here we ignore the fail and proceed to remove the other snapshots then finally remove nydus-snapshotter completely. I'm wondering what happens to the pod that is still using the snapshot. Does it keep running normally?
|
@ChengyuZhu6 I've finished my review and left a couple of comments. I didn't find any bug but I'm afraid I won't have time to give it a try. Thanks for working on this && amazing work! |
There was a problem hiding this comment.
Hi @ChengyuZhu6 , thanks for this. Just left a few comments here.
|
|
||
| Next, we can configure access control for nydus snapshotter. | ||
| ```bash | ||
| kubectl apply -f nydus-snapshotter-rbac.yaml |
There was a problem hiding this comment.
This file is not present at the nydus-snapshotter root folder:
kubectl apply -f misc/snapshotter/nydus-snapshotter-rbac.yaml
There was a problem hiding this comment.
Fixed. Thanks for your review @beraldoleal !
| Afterward, we can deploy a DaemonSet for nydus snapshotter. | ||
|
|
||
| ```bash | ||
| kubectl apply -f nydus-snapshotter.yaml |
There was a problem hiding this comment.
Same here:
kubectl apply -f misc/snapshotter/nydus-snapshotter.yaml
|
|
||
| ```bash | ||
| $ kubectl delete -f nydus-snapshotter.yaml | ||
| $ kubectl delete -f nydus-snapshotter-rbac.yaml |
misc/snapshotter/Dockerfile
Outdated
| RUN mkdir -p /usr/bin/ /opt/nydus/ /var/lib/containerd-nydus/cache /tmp/blobs/ | ||
| COPY --from=sourcer /nydus* /usr/bin/ | ||
| COPY --from=sourcer /toml /usr/bin/ | ||
| COPY containerd-nydus-grpc /usr/bin/ |
There was a problem hiding this comment.
I'm not familiar with this repository, so not sure if I'm missing something (probably I am).... but I was not able to test the entire solution because I can't build the image:
"/containerd-nydus-grpc": not found
Do you mind to share what I'm missing?
There was a problem hiding this comment.
I guess you should build this project binaries and copy containerd-nydus-grpc over misc/snaphotter. Thanks for giving it a try @beraldoleal !
There was a problem hiding this comment.
@wainersm I tried that, but the binary was still missing because is a wrong path. @ChengyuZhu6 do you mind sharing if we need any extra step to make this passing? Or maybe a README.md here with a quick/basic instructions?
There was a problem hiding this comment.
Thanks for your informations. The following are steps to build the snapshotter docker image:
$ make # build snapshotter binaries
$ cp bin/* misc/snapshotter/
$ pushd misc/snapshotter/
$ docker build -t ghcr.io/containerd/nydus-snapshotter:latest .
$ popdThere was a problem hiding this comment.
It would be nice then to add those instructions to a README on misc/snapshotter, not fancy, just this. Alternatively, add those steps as part of a make snapshotter target.
There was a problem hiding this comment.
It would be nice then to add those instructions to a README on
misc/snapshotter, not fancy, just this. Alternatively, add those steps as part of amake snapshottertarget.
Done.
ChengyuZhu6
force-pushed
the
payload
branch
3 times, most recently
from
5060b74 to
045a661
Compare
| subjects: | ||
| - kind: ServiceAccount | ||
| name: nydus-snapshotter-sa | ||
| namespace: nydus-snapshotter |
misc/snapshotter/config-proxy.toml
Outdated
| log_to_stdout = true | ||
| # Snapshotter's log level | ||
| level = "info" | ||
|
|
||
| [snapshot] | ||
| # Insert Kata volume information to `Mount.Options` | ||
| enable_kata_volume = true |
misc/snapshotter/config-fscache.toml
Outdated
| # Print logs to stdout rather than logging files | ||
| log_to_stdout = true | ||
| # Snapshotter's log level | ||
| level = "info" |
misc/snapshotter/config-fusedev.toml
Outdated
| # Print logs to stdout rather than logging files | ||
| log_to_stdout = true | ||
| # Snapshotter's log level | ||
| level = "info" |
ChengyuZhu6
force-pushed
the
payload
branch
2 times, most recently
from
ca3e040 to
cded377
Compare
This can be made transparent to users, eliminating the need for them to understand how to configure snapshotter in Containerd and reducing errors caused by misconfiguration. Signed-off-by: ChengyuZhu6 <[email protected]>
This can be seamlessly handled for users, eliminating the requirement for them to restore Containerd to its state prior to running the snapshotter. This approach reduces errors caused by misconfiguration or misbehavior. Signed-off-by: ChengyuZhu6 <[email protected]>
introduce main function to handle different commandline. Signed-off-by: ChengyuZhu6 <[email protected]>
Use configmap to decouple configuration artifacts from image content to keep containerized applications portable and inject configuration files and variables to the daemonset. Signed-off-by: ChengyuZhu6 <[email protected]>
ChengyuZhu6
force-pushed
the
payload
branch
2 times, most recently
from
7daf963 to
9c02cc2
Compare
|
We'd better to standardize all the binary paths to |
Signed-off-by: ChengyuZhu6 <[email protected]>
Add document to setup snapshotter by daemonset. Signed-off-by: ChengyuZhu6 <[email protected]>
We no longer need the entrypoint because snapshotter.sh handles both the deployment and the cleanup of the snapshotter. Signed-off-by: ChengyuZhu6 <[email protected]>
Check the status of the systemd service after restarting it. Signed-off-by: ChengyuZhu6 <[email protected]>
ChengyuZhu6
force-pushed
the
payload
branch
2 times, most recently
from
b5822db to
518d37c
Compare
update the e2e tests. Signed-off-by: ChengyuZhu6 <[email protected]>
|
Thanks @ChengyuZhu6 for the work and all reviewers @fidencio @wainersm @zvonkok @beraldoleal ! |
Confidential Containers leverage nydus snapshotter to pull images within the guest using
fs_driver=proxyand share images on the host usingfs_driver=blockdevto ensure data confidentiality. However, when running related tests for Kata CI with nydus snapshotter, we faced challenges installing and uninstalling nydus snapshotter on various architectures and configuring the containerd settings. We envisioned a smoother experience, where nydus snapshotter provides a daemonset, enabling users to seamlessly run and clean up nydus snapshotter and making it more easy.Fixes #565