Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes containerd configuration issue with insecure registries #14482

Merged
merged 4 commits into from
Aug 31, 2022
Merged

Fixes containerd configuration issue with insecure registries #14482

merged 4 commits into from
Aug 31, 2022

Conversation

andrewhamilton-okta
Copy link
Contributor

  • Updates containerd configuration to use the new format for specifying
    container registry mirrors.
  • Updates the start code to produce files in the correct location for
    registry mirrors specified with --insecure-registry

Fixes #14480

@linux-foundation-easycla
Copy link

linux-foundation-easycla bot commented Jun 30, 2022
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.

  • ✅ login: andrewhamilton-okta / name: Andrew Hamilton (7d79b3e)

@k8s-ci-robot k8s-ci-robot added the cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. label Jun 30, 2022
@k8s-ci-robot
Copy link
Contributor

Welcome @andrewhamilton-okta!

It looks like this is your first PR to kubernetes/minikube 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/minikube has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jun 30, 2022
@k8s-ci-robot
Copy link
Contributor

Hi @andrewhamilton-okta. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Jun 30, 2022
@minikube-bot
Copy link
Collaborator

Can one of the admins verify this patch?

@spowelljr
Copy link
Member

Hi @andrewhamilton-okta, thanks for the PR, we'll need you to sign the CLA mentioned above #14482 (comment) before we can go any further with the PR, thanks

@ahamilton55
Copy link

Hi @spowelljr . I'm trying to get the CLA worked out with my company. We've signed it in the past but we currently don't have a manager in EasyCLA that can approve my reqeust so I need figure that out next week unfortunately.

I was hoping that when I saw my company signed this would be easy but not so much...

@RA489
Copy link

RA489 commented Jul 4, 2022

/easycla

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. and removed cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels Jul 6, 2022
@andrewhamilton-okta
Copy link
Contributor Author

@spowelljr I was able to get the CLA worked out so let me know if I need to do anything to reach out to the correct people to get this started.

@ahamilton55 ahamilton55 mentioned this pull request Jul 7, 2022
Closed
@andrewhamilton-okta
Copy link
Contributor Author

Hi. Is there something that I can do to move this forward? I understand there are limited resources but am able to work on anything that might need updating this week to get this merged.

@ahamilton55 ahamilton55 mentioned this pull request Aug 9, 2022
Closed
@spowelljr
Copy link
Member

ok-to-build-iso

@spowelljr
Copy link
Member

ok-to-build-image

@minikube-bot
Copy link
Collaborator

Hi @andrewhamilton-okta, we have updated your PR with the reference to newly built kicbase image. Pull the changes locally if you want to test with them or update your PR further.

@k8s-ci-robot k8s-ci-robot added needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Aug 29, 2022
andrewhamilton-okta and others added 3 commits August 29, 2022 12:52
@andrewhamilton-okta
Fixes containerd configuration issue with insecure registry
20470cf 
- Updates containerd configuration to use the new format for specifying
  container registry mirrors.
- Updates the start code to produce files in the correct location for
  registry mirrors specified with --insecure-registry
@andrewhamilton-okta @spowelljr
Update target dir for aarch64
c929340 
Adds missing certs.d directory in the installation directory path.

Co-authored-by: Steven Powell <44844360+spowelljr@users.noreply.github.com>
@minikube-bot @andrewhamilton-okta
Updating kicbase image to v0.0.33-1661795577-14482
1599f52
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 29, 2022
@andrewhamilton-okta
Copy link
Contributor Author

Rebased.

@minikube-bot
Copy link
Collaborator

Hi @andrewhamilton-okta, we have updated your PR with the reference to newly built ISO. Pull the changes locally if you want to test with them or update your PR further.

@andrewhamilton-okta
Copy link
Contributor Author

I built minikube locally with this updated branch and ran it how I usually do and things came up as expected and didn't fail how they currently do with the released 1.26 and later builds.

medyagh
medyagh requested changes Aug 31, 2022
View reviewed changes
deploy/kicbase/containerd.toml
@@ -57,9 +57,8 @@ oom_score = 0
conf_dir = "/etc/cni/net.mk"
conf_template = ""
[plugins."io.containerd.grpc.v1.cri".registry]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would you please clarify, Why these options were removed ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@medyagh The configuration structure that containerd expects has changed with this new version. This entry is recreated through a directory structure instead now.

https://github.com/containerd/containerd/blob/main/docs/hosts.md

@spowelljr
Copy link
Member

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Aug 31, 2022
@minikube-pr-bot
Copy link

kvm2 driver with docker runtime

+----------------+----------+---------------------+
|    COMMAND     | MINIKUBE | MINIKUBE (PR 14482) |
+----------------+----------+---------------------+
| minikube start | 56.7s    | 56.5s               |
| enable ingress | 29.2s    | 29.0s               |
+----------------+----------+---------------------+

Times for minikube start: 55.6s 56.8s 55.7s 59.6s 55.9s
Times for minikube (PR 14482) start: 56.3s 56.0s 58.9s 55.8s 55.6s

Times for minikube ingress: 29.6s 31.6s 29.6s 25.6s 29.6s
Times for minikube (PR 14482) ingress: 30.5s 29.1s 28.1s 28.6s 28.6s

docker driver with docker runtime
error collecting results for docker driver: timing run 0 with minikube: timing cmd: [out/minikube addons enable ingress]: waiting for minikube: exit status 10
docker driver with containerd runtime
error downloading artifacts: artifact download start: exit status 90

@andrewhamilton-okta
Copy link
Contributor Author

The failure in the CI logs is around a Unix socket path being too long. I want to assume that this isn't caused by my PR directly but I'm not sure.

@minikube-pr-bot
Copy link

These are the flake rates of all failed tests.

Environment Failed Tests Flake Rate (%)
Docker_Linux_containerd TestStartStop/group/newest-cni/serial/VerifyKubernetesImages (gopogh) 0.00 (chart)
Docker_Linux_containerd TestStartStop/group/no-preload/serial/VerifyKubernetesImages (gopogh) 0.00 (chart)
Hyperkit_macOS TestStartStop/group/newest-cni/serial/VerifyKubernetesImages (gopogh) 0.00 (chart)
Hyperkit_macOS TestStartStop/group/no-preload/serial/VerifyKubernetesImages (gopogh) 0.00 (chart)
Hyper-V_Windows TestStartStop/group/newest-cni/serial/VerifyKubernetesImages (gopogh) 0.00 (chart)
Hyper-V_Windows TestStartStop/group/no-preload/serial/VerifyKubernetesImages (gopogh) 0.00 (chart)
KVM_Linux_containerd TestStartStop/group/newest-cni/serial/VerifyKubernetesImages (gopogh) 0.00 (chart)
KVM_Linux_containerd TestStartStop/group/no-preload/serial/VerifyKubernetesImages (gopogh) 0.00 (chart)
KVM_Linux TestStartStop/group/newest-cni/serial/VerifyKubernetesImages (gopogh) 0.00 (chart)
Hyperkit_macOS TestCertExpiration (gopogh) 0.63 (chart)
KVM_Linux TestStartStop/group/no-preload/serial/VerifyKubernetesImages (gopogh) 1.17 (chart)
Docker_macOS TestStartStop/group/newest-cni/serial/VerifyKubernetesImages (gopogh) 10.90 (chart)
Docker_macOS TestStartStop/group/no-preload/serial/VerifyKubernetesImages (gopogh) 10.90 (chart)
KVM_Linux TestPause/serial/SecondStartNoReconfiguration (gopogh) 29.24 (chart)
Hyper-V_Windows TestPause/serial/SecondStartNoReconfiguration (gopogh) 49.67 (chart)
Hyper-V_Windows TestNoKubernetes/serial/StartWithStopK8s (gopogh) 97.30 (chart)
KVM_Linux TestMultiNode/serial/ValidateNameConflict (gopogh) 98.84 (chart)
Docker_macOS TestDownloadOnly/v1.16.0/preload-exists (gopogh) 99.38 (chart)
Docker_Linux_containerd TestKubernetesUpgrade (gopogh) 100.00 (chart)
Docker_macOS TestIngressAddonLegacy/serial/ValidateIngressAddonActivation (gopogh) 100.00 (chart)
Docker_macOS TestIngressAddonLegacy/serial/ValidateIngressAddons (gopogh) 100.00 (chart)
Docker_macOS TestIngressAddonLegacy/serial/ValidateIngressDNSAddonActivation (gopogh) 100.00 (chart)
Docker_macOS TestIngressAddonLegacy/StartLegacyK8sCluster (gopogh) 100.00 (chart)
Docker_macOS TestKubernetesUpgrade (gopogh) 100.00 (chart)
Docker_macOS TestMissingContainerUpgrade (gopogh) 100.00 (chart)
Docker_macOS TestNetworkPlugins/group/kubenet/HairPin (gopogh) 100.00 (chart)
Docker_macOS TestPause/serial/VerifyStatus (gopogh) 100.00 (chart)
Docker_macOS TestPreload (gopogh) 100.00 (chart)
Docker_macOS TestRunningBinaryUpgrade (gopogh) 100.00 (chart)
Docker_macOS TestStartStop/group/default-k8s-different-port/serial/Pause (gopogh) 100.00 (chart)
More tests... Continued...

Too many tests failed - See test logs for more details.

To see the flake rates of all tests by environment, click here.

@spowelljr
Copy link
Member

The containerd tests look very healthy to me, this looks good to merge

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: andrewhamilton-okta, spowelljr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 31, 2022
@spowelljr spowelljr merged commit f2df65f into kubernetes:master Aug 31, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@medyagh medyagh medyagh requested changes

@spowelljr spowelljr spowelljr approved these changes

@afbjorklund afbjorklund Awaiting requested review from afbjorklund

@sharifelgamal sharifelgamal Awaiting requested review from sharifelgamal

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Container runtime containerd with insecure registry breaks new pods
8 participants
@andrewhamilton-okta @k8s-ci-robot @minikube-bot @spowelljr @ahamilton55 @RA489 @minikube-pr-bot @medyagh