Format update #124
Format update #124
Conversation
|
|
||
| ## Requirements | ||
| - Kubernetes, kubelet, kubeadm | ||
| - cri-containerd | ||
| - Kata Containers | ||
|
|
||
| For information about the supported version of these components see | ||
| Kata Containers [versions.yaml](https://github.com/kata-containers/runtime/blob/master/versions.yaml) file. | ||
| Note| |
There was a problem hiding this comment.
I like the way you've made this stand out, but could you change it to use the standard formatting we use for notes? I'm afraid this hasn't historically been written down, but I've just raised the following to rectify that 😄: #126.
There was a problem hiding this comment.
Hi @OGtrilliams - I see your note is still in the original style, not formatted as per the guideline @jodh-intel detailed at https://github.com/kata-containers/documentation/blob/master/Documentation-Requirements.md#notes - could you make that small change please?
| @@ -1,15 +1,18 @@ | |||
| # How to use Kata Containers and CRI (containerd plugin) with Kubernetes | |||
|
|
|||
| This document describes how to set up a single-machine Kubernetes cluster. | |||
| The Kubernetes cluster will use the CRI containerd plugin and Kata Containers to launch untrusted workloads. | |||
| The Kubernetes cluster will use the [CRI containerd plugin](https://github.com/containerd/cri) and [Kata Containers](https://katacontainers.io) to launch untrusted workloads. | |||
There was a problem hiding this comment.
We've tended to specify https://github.com/kata-containers as the project homepage for docs on github. Note that that URL does contain a link to https://katacontainers.io but the former is going to be quicker to navigate to find the code I think.
|
|
||
| #### Define the Kata runtime as `untrusted_workload_runtime` | ||
|
|
||
| Configure the Kata runtime for untrusted workload with the [config option](https://github.com/containerd/cri/blob/v1.0.0-rc.0/docs/config.md) | ||
| `plugins.cri.containerd.untrusted_workload_runtime`. | ||
|
|
||
| Unless configured otherwise, the default runtime is set to `runc`. | ||
|
|
||
| - Configure containerd to use Kata as `untrusted_workload_runtime` |
There was a problem hiding this comment.
Maybe add a colon at the end of this sentence?
|
Hi @OGtrilliams - thanks for raising! Our process requires that commits conform to a certain format. Travis is failing as a result and referencing this doc which explains the format of commits our CI tooling checks for: Basically, your commit needs to add:
Hence, if you squash your commits into a single commit, you could change your commit to something like the following (obviously change to add your name+email address) to keep the CI happy: |
| - Default runtime: A runtime that is used by default to run workloads. | ||
| - Untrusted workload runtime: A runtime that will be used run untrusted workloads. | ||
| - **Default runtime:** A runtime that is used by default to run workloads. | ||
| - **Untrusted workload runtime:** A runtime that will be used run untrusted workloads. |
There was a problem hiding this comment.
Suggested rewrite to stay active (and adding in a missing "to": Untrusted workload runtime: A runtime that is used to run untrusted workloads.
| @@ -71,23 +78,29 @@ EOT | |||
|
|
|||
| ### Configure Kubelet to use containerd | |||
|
|
|||
| In order to allow kubelet use containerd (using CRI interface) configure the service to | |||
| point to containerd socket. | |||
| In order to allow kubelet use containerd (using CRI interface), configure the service to | |||
There was a problem hiding this comment.
In order to allow kubelet, use containerd (using CRI interface) and configure the service to
| $ sudo systemctl daemon-reload | ||
| ``` | ||
|
|
||
| ### Optional: Configure proxy | ||
|
|
||
| If you are behind a proxy this script will configure your proxy for docker | ||
| kubelet and containerd. | ||
| If you are behind a proxy, use this script to configure your proxy for docker, |
There was a problem hiding this comment.
If you are behind a proxy, use the following script to configure your proxy for docker,
| If you are behind a proxy this script will configure your proxy for docker | ||
| kubelet and containerd. | ||
| If you are behind a proxy, use this script to configure your proxy for docker, | ||
| kubelet, and containerd. |
There was a problem hiding this comment.
I suggest using a colon at the end of this sentence rather than a period.
| If a pod has the `io.kubernetes.cri.untrusted-workload annotation` set as | ||
| `"true"`, the CRI plugin will run the pod with the Kata Containers runtime. | ||
| If a pod has the `io.kubernetes.cri.untrusted-workload` annotation set to | ||
| `"true"`, the CRI plugin will run the pod with the [Kata Containers runtime](https://github.com/kata-containers/runtime). |
There was a problem hiding this comment.
Suggested rewrite to stay active: "true", the CRI plugin runs the pod with the Kata Containers runtime.
|
Thanks everyone! I'll go back & fix everything you all suggested - but I'll just let you know ahead of time that I'm terrible at rebasing so... this might take a while. 😺 |
|
Thanks @OGtrilliams. No problem. I think all you'll need to do is:
|
|
gentle ping to @OGtrilliams - just wondering if you'll get to update this PR at some point? |
|
@grahamwhaley doing The Things right now! |
|
Hi @OGtrilliams - we're getting close but the CI checks are failing. What you need to do is change the format of your commit slightly to match the doc the Travis log is pointing you at (https://github.com/kata-containers/community/blob/master/CONTRIBUTING.md#patch-format). Something like this should do it: You need to do the rebase I mentioned above as well to squash the two commits into one as they are a single logical unit. |
|
Hi @OGtrilliams - do you still plan to fixup the commit as mentioned above? We'd really like your contribution so feel free to join us on irc/slack if you want any help with this: https://github.com/kata-containers/community/blob/master/CONTRIBUTING.md#contact. |
OGtrilliams
force-pushed
the
trilliams
branch
2 times, most recently
from
9188d02 to
f208a33
Compare
|
I think it's fixed @jodh-intel - going through checks now. |
| If a pod has the `io.kubernetes.cri.untrusted-workload annotation` set as | ||
| `"true"`, the CRI plugin will run the pod with the Kata Containers runtime. | ||
| If a pod has the `io.kubernetes.cri.untrusted-workload` annotation set to | ||
| `"true"`, the CRI plugin runs the pod with the [Kata Containers runtime](https://github.com/kata-containers/runtime). |
There was a problem hiding this comment.
Please link directly to the readme.md for the runtime.
|
|
||
| ```bash | ||
| # allow master node run pods | ||
| # allow master node to run pods | ||
| $ sudo -E kubectl taint nodes --all node-role.kubernetes.io/master- | ||
| ``` | ||
|
|
||
|
|
||
| ### Create a unstrusted pod using Kata Containers |
| - Default runtime: A runtime that is used by default to run workloads. | ||
| - Untrusted workload runtime: A runtime that will be used run untrusted workloads. | ||
| - **Default runtime:** A runtime that is used by default to run workloads. | ||
| - **Untrusted workload runtime:** A runtime that will be used to run untrusted workloads. | ||
|
|
There was a problem hiding this comment.
I think it would be useful to tell the user why they would use the untrusted workload runtime with the CRI plugin. Also, it might be worth explicitly stating that no further configuration is needed to use the CRI plugin with the default runtime if that is the case.
| @@ -46,20 +46,24 @@ $ command -v kubeadm | |||
|
|
|||
| ### Configure containerd to use Kata Containers | |||
There was a problem hiding this comment.
I don't understand why this is a sub-heading of Install Kubernetes.
| @@ -46,20 +46,24 @@ $ command -v kubeadm | |||
|
|
|||
There was a problem hiding this comment.
The link on line 39 goes to 404. Also, why are the code blocks commented out?
| This document describes how to set up a single-machine Kubernetes cluster. | ||
| The Kubernetes cluster will use the CRI containerd plugin and Kata Containers to launch untrusted workloads. | ||
| This document describes how to set up a single-machine Kubernetes cluster. | ||
| The Kubernetes cluster will use the [CRI containerd plugin](https://github.com/containerd/cri) and [Kata Containers](https://github.com/kata-containers) to launch untrusted workloads. |
There was a problem hiding this comment.
- cluster uses the
- I'd recommend linking directly to the readme.md for the CRI plugin link, and Kata containers should link to: katacontainers.io or perhaps no link as we're already in a project hosted on github.com/kata-containers.
|
@OGtrilliams - looks like a few text updates and we should then be good to merge. Can you PTAL? Thanks! |
OGtrilliams
force-pushed
the
trilliams
branch
2 times, most recently
from
6486053 to
85964d3
Compare
|
Hi @OGtrilliams - please could you update? If you don't have the time, please let us know and we can assist. |
OGtrilliams
force-pushed
the
trilliams
branch
2 times, most recently
from
8c20dc7 to
6008c72
Compare
Went through and made a few grammar and format updates to make how-to guide easier to follow, as well as add direct links to project Github pages where applicable. Fixes: kata-containers#127 Signed-off-by: trilliams <tribecca@tribecc.us> howto: k8s grammar and format changes Went through and made a few grammar and format updates to make how-to guide easier to follow, as well as add direct links to project Github pages where applicable. Fixes: kata-containers#127 Signed-off-by: trilliams <tribecca@tribecc.us>
|
/me gently nudges @OGtrilliams as there has been activity on their github account recently, so I know they are not on holiday ;-) - any update/refresh or ETA for this? (an ETA will help us know when to re-visit the PR ;-) ). thx. |
|
@grahamwhaley sorry! I made final updates about a week ago, but didn't comment here to announce it. It should be good for final review. |
There was a problem hiding this comment.
A couple of notes (no pun intended!).
@egernst - a couple were tech queries - were you the originator of some of this? (I've lost track..)
|
|
||
| ## Requirements | ||
| - Kubernetes, kubelet, kubeadm | ||
| - cri-containerd | ||
| - Kata Containers | ||
|
|
||
| For information about the supported version of these components see | ||
| Kata Containers [versions.yaml](https://github.com/kata-containers/runtime/blob/master/versions.yaml) file. | ||
| Note| |
There was a problem hiding this comment.
Hi @OGtrilliams - I see your note is still in the original style, not formatted as per the guideline @jodh-intel detailed at https://github.com/kata-containers/documentation/blob/master/Documentation-Requirements.md#notes - could you make that small change please?
|
|
||
| # Prevent docker iptables rules conflict with k8s pod communication | ||
| ```bash | ||
| $ sudo iptables -P FORWARD ACCEPT |
There was a problem hiding this comment.
I'm an iptables numpty - is this basically disabling a bunch of iptables functionality globally? If so, maybe we want to put some sort of note/warning in here to tell users this is a dev/test measure, and for any sort of deployment they might want to do something more 'robust' ?
| # Start cluster using kubeadm | ||
| - Start cluster using `kubeadm` | ||
|
|
||
| ```bash | ||
| $ sudo kubeadm init --skip-preflight-checks \ |
There was a problem hiding this comment.
Are we merely skipping pre-flight tests to save some time during development?
|
I'd like to see what the output of the verification steps looks like (command -v ...). Can we add terminators ("." or ":") for sentences in bullets and preceding instructions. |
|
@OGtrilliams Could you please address @grahamwhaley's comments? |
|
Ping @OGtrilliams . Any update? |
|
Hi @OGtrilliams - let us know if you can come back and visit this PR or not - if not, we'll put it up for adoption under the assisted workflow case, and try to wrap it up and land it... |
|
🔔 🔔 Outatime [*] 😄 Applying the boilerplate text from https://github.com/kata-containers/community/blob/master/CONTRIBUTING.md#assisted-pr-workflow... Thank you for your contribution but we are unable to merge it until all review feedback has been applied and all CI checks have passed. Since we have not heard from you for a while, we assume you are unable to progress this PR. As such, we intend to create a new PR based on this one, and resolve the identified issues on the new PR. The new PR will reference this PR for tracking purposes. This PR will be marked [*] - Note to self - gotta watch that film again soon! :) |
This PR is based on kata-containers#124 but has been reworked and updated to take into account review feedback and extra cleanups to bring this howto in line with the latest documentation requirements. Fixes kata-containers#127. Contributions-from: T. Nichole Williams <tribecca@tribecc.us> Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
This PR is based on kata-containers#124 but has been reworked and updated to take into account review feedback and extra cleanups to bring this howto in line with the latest documentation requirements. Fixes kata-containers#127. Signed-off-by: T. Nichole Williams <tribecca@tribecc.us> Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
|
Replaced by #251. |
This PR is based on kata-containers#124 but has been reworked and updated to take into account review feedback and extra cleanups to bring this howto in line with the latest documentation requirements. Fixes kata-containers#127. Signed-off-by: T. Nichole Williams <tribecca@tribecc.us> Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
This PR is based on kata-containers#124 but has been reworked and updated to take into account review feedback and extra cleanups to bring this howto in line with the latest documentation requirements. Fixes kata-containers#127. Signed-off-by: T. Nichole Williams <tribecca@tribecc.us> Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
This PR is based on kata-containers#124 but has been reworked and updated to take into account review feedback and extra cleanups to bring this howto in line with the latest documentation requirements. Fixes kata-containers#127. Signed-off-by: T. Nichole Williams <tribecca@tribecc.us> Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
|
@jodh-intel should we close this PR? Since it has been replaced by #251? |
|
Hi @raravena80 - yep, it will be once #251 lands (see https://github.com/kata-containers/community/blob/master/CONTRIBUTING.md#assisted-pr-workflow) |
This PR is based on kata-containers#124 but has been reworked and updated to take into account review feedback and extra cleanups to bring this howto in line with the latest documentation requirements. Fixes kata-containers#127. Signed-off-by: T. Nichole Williams <tribecca@tribecc.us> Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
…Proxy builder: support proxy in distros based on yum or dnf
made a few grammatical changes, added hyperlinks to CRI github for those who don't know what it is, & reworked formatting a bit.