-
Notifications
You must be signed in to change notification settings - Fork 176
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
entrypoint: use exec to run Device Plugin #284
entrypoint: use exec to run Device Plugin #284
Conversation
On Pod / DaemonSet termination, Kubernetes sends SIGTERM to the first process on each container (pid 1). In order to ensure the SR-IOV Device Plugin daemon receives the signal and it can gracefully clean up, use "exec" in the entrypoint script. Signed-off-by: Adrian Moreno <amorenoz@redhat.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Works as expected. I see in sriov dp daemonset example we request host PID namespace. I want to understand if this is needed, because this patch will be meaningless with that daemon set spec however this should still be fixed.
@ahalim-intel @zshi-redhat any idea why hostPID would be needed ? also i see when Openshift sriov-network-operator deploys sriov device plugin it does so without hostPID attribute @martinkennelly i think when |
@adrianchiris When hostPID is set, you share the same PID namespace as the underlying system from which the container was spawned. When I tested this, I could see all the underlying system processes. Exec allocated a new PID. |
IIRC - the hostPID was needed to be able enumerate host devices in order to discover all the devices. Running just privileged Pod and hostNetwork was not enough. However as I can see DP is able to discover devices without it. So, most likely it's not needed. If this is confirmed then we should remove this. We should also review other security contexts given to the DP daemonset Pod and only allow what is absolutely needed. |
@adrianchiris It doesn't matter if hostpid is enabled or disabled, SRIOV DP receives |
@adrianchiris I think hostNetwork is needed to open netlink sockets, IIRC |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see, thanks for the clarifications !
hostNetwork
is needed to discover devices (e.g given PF Name in selector).
i think we can probably get away with removing the hostPID from the example, ill deploy without to make sure it works and post a PR on it.
anyway for this im LGTM , thanks.
thanks for the fix! |
@zshi-redhat Yes. The timeout if the pod does not die gracefully defaults to 30s! |
On Pod / DaemonSet termination, Kubernetes sends SIGTERM to the first
process (pid 1).
In order to ensure the SR-IOV Device Plugin daemon receives the signal
and it can gracefully clean up, use "exec" in the entrypoint script.
Signed-off-by: Adrian Moreno amorenoz@redhat.com