-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added Annotations to CDI Spec #85
Conversation
For Kata we need to pass through the VF into the container, a VF can have different types and with the BDF the runtime can deduce the right handling. An example CDI spec would look like:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @zvonkok. Could you also provide a short description on how these will be used.
Some other points:
- This requires a version bump of the spec. Let us do that now.
- Could we add an example to the readme etc. where this is specified?
Refactored the README according to md-lint suggestions. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Beside clarification on usage of annotation field, it is ok from my side.
One side note noticed during this PR review, probably good for another PR: I've noticed that in our schema doesn't specify "global" containerEdits
fields in schema/schema.json
@kad @klihub @elezar I added validation of annotations PTAL; I have a general question why are we allowing an empty CDI spec to be valid? What is the purpose?
# bin/validate /tmp/nvidia.yaml
Building bin/validate...
Validating against JSON schema builtin...
/tmp/nvidia.yaml: validation failed:
[[]: Invalid value: "badfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfadfasdfasdfasdfasdfasfasdfasfsddf": name part must be no more than 63 characters] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for adding the validation @zvonkok. Some comments -- specifically about when this validation is triggered.
6b78d1c
to
5080b88
Compare
AFAICT, it is partly for historical reasons. IIRC how it came to be, Renaud's initial code was explicitly allowing for it, so we kept that functionality. My guess is that the orignal idea was to let vendor-specific utilities run at boot-time and generate vendor-specific 'static' Spec files in /etc (maybe by scanning /dev, and/or doing udev enumeration) and allow any empty files to indicate that the utilities did run (maybe using comments to that effect in the generated Spec files) but not trigger errors in the actual cdi Spec-handling packages. But I'm just guessing here... |
56ddae8
to
8751388
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@zvonkok I have reworked this PR so that it can be merged into the current main
branch. This includes checks for the minimum version, for example.
I have also reworked the annotation validation to reduce the imported k8s
dependencies.
@klihub @bart0sh @kad since I've also updated this PR please take a look now.
It would be nice to cover new code with unit tests. |
This needs a rebase and conflict resolution. Other than that, I think it looks fine. |
Signed-off-by: Evan Lezar <[email protected]>
This change adds an internal validation package for spec annotation validation. This includes code imported from k8s.io/apimachinery/pkg/api and k8s.io/apimachinery/pkg/util to allow for basic validation of the annotations without importing additional dependencies. Signed-off-by: Evan Lezar <[email protected]>
This change allows a set of annotations to be specified at a spec level as well as per device defined in the spec. This bumps the spec version to 0.6.0. Note that validation of the contents of the annotations is also included at a schema level. Signed-off-by: Zvonko Kaiser <[email protected]> Signed-off-by: Evan Lezar <[email protected]>
Signed-off-by: Evan Lezar <[email protected]>
Done. |
) | ||
|
||
// ValidateSpecAnnotations checks whether spec annotations are valid. | ||
func ValidateSpecAnnotations(name string, any interface{}) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@klihub I believe you had questions / concerns about the validation of the annotations.
) | ||
|
||
// ValidateSpecAnnotations checks whether spec annotations are valid. | ||
func ValidateSpecAnnotations(name string, any interface{}) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is the reason for not having the map[string]string
type for annotations as in the Spec itself ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This function is called from the schema validation, where all we have is an interface{}
type. This handles the conversion of this type to a map[string]string
. Since this is required for two separate parts of the schema / spec (top-level annotations and device-level annotation), I added this helper here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe I can rename this helper to ValidateSpecAnnotationSchema
instead.
Antother option is to drop the schema validation entirely which would clean up this PR significantly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, it is sort of tempting... Then again, if at all possible it is better to catch Spec errors early (when seen first time by the CDI package) than late (when an injection goes wrong in the runtime). So I guess then some basic annotation verification would be a good idea.
That said, I don't know if these checks are really that helpful in that regard. AFAICT we don't plan to inject any of these annotations to a container and we are doing K8s pod/container annotations verification here. If we don't inject them, some entity somewhere along the runtime-runc/crun/kata path will do some semantic interpretation of the annotated data... which inevitable leaves the door open for delayed post-injection errors.
Since we don't validate by default, I think we can leave it in for the time being. If you're good with it @klihub let's get this merged and I we can bump a new version. |
// The v0.6.0 spec allows annotations to be specified at a device level | ||
for _, d := range spec.Devices { | ||
for range d.Annotations { | ||
return true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need a loop here if we unconditionally return on the first iteration?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The intent of the loop is to detect whether a v0.6.0
spec is required. This is required if ANY annotions are detected.
We could use:
for _, d := range spec.Devices {
if len(d.Annotations) > 0 {
return true
instead, but I thought the loop was cleaner than the conditional in this case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not for me, but I'm ok with it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
Based on the discussion in #30 some generated devices like VFs need extra meta information to be handled correctly in virtualized environments.