Use crictl to pull sandbox image #1605
Conversation
files/pull-sandbox-image.sh
Outdated
| @@ -8,4 +8,9 @@ if [[ "$(sudo ctr --namespace k8s.io image ls | grep $sandbox_image)" != "" ]]; | |||
| exit 0 | |||
| fi | |||
|
|
|||
| /etc/eks/containerd/pull-image.sh "${sandbox_image}" | |||
| ecr_password=$(aws ecr get-login-password) | |||
There was a problem hiding this comment.
if there is a problem with getting the password, will the timer (in the other PR) fail and then fail to re-fire again in the next time period?
There was a problem hiding this comment.
The timer will trigger the unit whether it failed or succeeded on previous runs, per my testing.
I copied over the retry logic we have in the other pull-image.sh script anyway.
|
cc @henry118 |
cartermckinnon
force-pushed
the
crictl-pull-sandbox
branch
from
96a28ab
to
9b5e03c
Compare
| @@ -8,4 +8,26 @@ if [[ "$(sudo ctr --namespace k8s.io image ls | grep $sandbox_image)" != "" ]]; | |||
| exit 0 | |||
| fi | |||
|
|
|||
| /etc/eks/containerd/pull-image.sh "${sandbox_image}" | |||
There was a problem hiding this comment.
Any reason not to modify the pull-image.sh script itself to use crictl instead of ctr?
There was a problem hiding this comment.
We use ctr content fetch in that script because it skips image unpacking (an important optimization for the image caching feature's disk usage).
files/pull-sandbox-image.sh
Outdated
| echo >&2 "Unable to retrieve the ECR password." | ||
| exit 1 | ||
| fi | ||
| sudo retry crictl pull "${sandbox_image}" --creds AWS:${ecr_password} |
There was a problem hiding this comment.
I just checked my node and crictl wasn't there. I think you need to install it as well.
There was a problem hiding this comment.
Right, missed in my commit 😓 . We mulled over adding cri-tools in the past because we aren't the maintainers of that package in AL. We don't have much of a choice now; the only other option would be manually labelling the image as pinned after we pull it with ctr, which seems more fragile (the label key or something could change).
cartermckinnon
force-pushed
the
crictl-pull-sandbox
branch
from
9b5e03c
to
cfef02f
Compare
|
/ci |
|
@cartermckinnon roger that! I've dispatched a workflow. 👍 |
cartermckinnon
force-pushed
the
crictl-pull-sandbox
branch
from
cfef02f
to
17f1b1d
Compare
|
/ci |
|
@cartermckinnon roger that! I've dispatched a workflow. 👍 |
|
@cartermckinnon the workflow that you requested has completed. 🎉
|
Issue #, if available:
Fixes #1597 on
containerd1.7.3+.Description of changes:
The containerd CRI server will only report an image as "pinned" if it is pulled with the CRI server. The pinned label will not be applied if it is pulled using the bare
containerdserver withctr.By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
Testing Done
On
containerd-1.7.11withsandbox_image = "registry.k8s.io/pause:3.9":