-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ephemeral storage not available when using (docker/podman) rootless providers #3359
Comments
it seems to be done on purpose with rootless, I've tried the following patch and it solves the problem for me: diff --git a/pkg/cluster/internal/kubeadm/config.go b/pkg/cluster/internal/kubeadm/config.go
index 6aa17581..0a17f64e 100644
--- a/pkg/cluster/internal/kubeadm/config.go
+++ b/pkg/cluster/internal/kubeadm/config.go
@@ -79,10 +79,6 @@ type ConfigData struct {
// RootlessProvider is true if kind is running with rootless mode
RootlessProvider bool
- // DisableLocalStorageCapacityIsolation is typically set true based on RootlessProvider
- // based on the Kubernetes version, if true kubelet localStorageCapacityIsolation is set false
- DisableLocalStorageCapacityIsolation bool
-
// DerivedConfigData contains fields computed from the other fields for use
// in the config templates and should only be populated by calling Derive()
DerivedConfigData
@@ -422,7 +418,6 @@ evictionHard:
{{ range $index, $gate := .SortedFeatureGates }}
"{{ (StructuralData $gate.Name) }}": {{ $gate.Value }}
{{end}}{{end}}
-{{if .DisableLocalStorageCapacityIsolation}}localStorageCapacityIsolation: false{{end}}
{{if ne .KubeProxyMode "None"}}
---
apiVersion: kubeproxy.config.k8s.io/v1alpha1
@@ -468,16 +463,6 @@ func Config(data ConfigData) (config string, err error) {
return "", errors.Errorf("version %q is not compatible with rootless provider (hint: kind v0.11.x may work with this version)", ver)
}
data.FeatureGates["KubeletInUserNamespace"] = true
-
- // For avoiding err="failed to get rootfs info: failed to get device for dir \"/var/lib/kubelet\": could not find device with major: 0, minor: 41 in cached partitions map"
- // https://github.com/kubernetes-sigs/kind/issues/2524
- if ver.LessThan(version.MustParseSemantic("v1.25.0-alpha.3.440+0064010cddfa00")) {
- // this feature gate was removed in v1.25 and replaced by an opt-out to disable
- data.FeatureGates["LocalStorageCapacityIsolation"] = false
- } else {
- // added in v1.25 https://github.com/kubernetes/kubernetes/pull/111513
- data.DisableLocalStorageCapacityIsolation = true
- }
}
// assume the latest API version, then fallback if the k8s version is too low not sure how many other things I break this way though 😄 |
I've played a bit with it and could not spot any failure so perhaps it is worth dropping this special handling and have one difference less with rootful mode. I've opened a PR so we can discuss it better there: #3360 |
it was used to workaround a kubelet crash issue with rootless providers. The Kubelet seems to work fine now with localStorageCapacityIsolation enabled in a user namespace so drop the special handling. After this change, ephemeral storage can be used in a rootless cluster. Closes: kubernetes-sigs#3359 Signed-off-by: Giuseppe Scrivano <[email protected]>
Are those differences between rootful and rootles mode listed somewhere? |
They should be at https://kind.sigs.k8s.io/docs/user/rootless/, but I don't personally use rootless and CI doesn't cover the entire surface of Kubernetes, historically things just haven't worked e.g. in Kubernetes like this feature. KIND is the only rootless coverage for Kubernetes CI AFAIK, but I don't think it's terribly extensive in that regard and I'm not sure to the extent that e.g. SIG Node even officially supports this versus permitting patches related to rootless. I don't think we have rootless node_e2e for example. |
Thanks for you quick response @BenTheElder ! |
My point is we don't know all of them, and that restrictions from docker/podman/kubernetes remain true irrespective of This would be the only current unlisted known issue for us off the top of my head and it was actually widely true for rootless kubernetes, not just kind, it was also the case in other projects, so we didn't think to add something. EDIT: I agree they should be listed, and that would be the page to add them to. |
minikube does too: https://github.com/kubernetes/minikube/blob/319886a38d56668e5141fa19afd7ad3ace1962d7/.github/workflows/pr.yml#L288
I was waiting for the upstream CI to switch to cgroup v2, now I should find my time to work on this... |
So it's true that minikube is running Kubernetes in rootless mode in their CI, I reached out to them about this field previously ... but minikube only supports Kubernetes releases and is not part of Kubernetes's CI, in general they're doing their own testing independent of SIG Testing/Release/... on tagged, built k8s releases and are not part of release signal for SIG Node, Release, etc.
👍 I do think we need more coverage for this. My point was just that the broader k8s project isn't tightly tracking this sort of thing at the moment, so for us to document things that may not work in rootless k8s anywhere requires kind to first go and identify these things ourselves at the moment, there are not docs covering this for core kubernetes or minikube. |
(which is also why we don't know what changed to make this feature start working xref #3360) |
it was used to workaround a kubelet crash issue with rootless providers. The Kubelet seems to work fine now with localStorageCapacityIsolation enabled in a user namespace so drop the special handling. After this change, ephemeral storage can be used in a rootless cluster. Closes: kubernetes-sigs#3359 Signed-off-by: Giuseppe Scrivano <[email protected]>
it was used to workaround a kubelet crash issue with rootless providers. The Kubelet seems to work fine now with localStorageCapacityIsolation enabled in a user namespace so drop the special handling. After this change, ephemeral storage can be used in a rootless cluster. Closes: kubernetes-sigs#3359 Signed-off-by: Giuseppe Scrivano <[email protected]>
it was used to workaround a kubelet crash issue with rootless providers. The Kubelet seems to work fine now with localStorageCapacityIsolation enabled in a user namespace so drop the special handling. After this change, ephemeral storage can be used in a rootless cluster. Closes: kubernetes-sigs#3359 Signed-off-by: Giuseppe Scrivano <[email protected]>
* removed kong ingress documentation * switch to an active mirror * cluster: drop DisableLocalStorageCapacityIsolation it was used to workaround a kubelet crash issue with rootless providers. The Kubelet seems to work fine now with localStorageCapacityIsolation enabled in a user namespace so drop the special handling. After this change, ephemeral storage can be used in a rootless cluster. Closes: kubernetes-sigs#3359 Signed-off-by: Giuseppe Scrivano <[email protected]> * e2e-k8s.sh: support --ginkgo.label-filter The label filter query is more expressive (logical operations) and readable (no regexp unless absolutely required). Such a query can be combined with focus + skip, but in practice a single label filter can replace both of those and is easier to understand. Kubernetes has supported ginkgo v2 and thus --label-filter since v1.25.0. This makes it safe to pass that command line flag unconditionally when invoking the E2E suite. * Clean up GitHub Action definitions This defines a local action for the common actions performed by most of our workflows. This reduces duplication between them to make sure they are consistent, and also make the workflow definitions more concise to just the operations that are unique to the particular testing activities. Signed-off-by: Sean McGinnis <[email protected]> --------- Signed-off-by: Giuseppe Scrivano <[email protected]> Signed-off-by: Sean McGinnis <[email protected]> Co-authored-by: Kundan Kumar <[email protected]> Co-authored-by: Benjamin Elder <[email protected]> Co-authored-by: Giuseppe Scrivano <[email protected]> Co-authored-by: Patrick Ohly <[email protected]> Co-authored-by: Sean McGinnis <[email protected]>
* removed kong ingress documentation * switch to an active mirror * cluster: drop DisableLocalStorageCapacityIsolation it was used to workaround a kubelet crash issue with rootless providers. The Kubelet seems to work fine now with localStorageCapacityIsolation enabled in a user namespace so drop the special handling. After this change, ephemeral storage can be used in a rootless cluster. Closes: kubernetes-sigs#3359 Signed-off-by: Giuseppe Scrivano <[email protected]> * e2e-k8s.sh: support --ginkgo.label-filter The label filter query is more expressive (logical operations) and readable (no regexp unless absolutely required). Such a query can be combined with focus + skip, but in practice a single label filter can replace both of those and is easier to understand. Kubernetes has supported ginkgo v2 and thus --label-filter since v1.25.0. This makes it safe to pass that command line flag unconditionally when invoking the E2E suite. * Clean up GitHub Action definitions This defines a local action for the common actions performed by most of our workflows. This reduces duplication between them to make sure they are consistent, and also make the workflow definitions more concise to just the operations that are unique to the particular testing activities. Signed-off-by: Sean McGinnis <[email protected]> --------- Signed-off-by: Giuseppe Scrivano <[email protected]> Signed-off-by: Sean McGinnis <[email protected]> Co-authored-by: Kundan Kumar <[email protected]> Co-authored-by: Benjamin Elder <[email protected]> Co-authored-by: Giuseppe Scrivano <[email protected]> Co-authored-by: Patrick Ohly <[email protected]> Co-authored-by: Sean McGinnis <[email protected]>
* enable loading multiple image archives * Minor updates to Design docs This makes minor updates and corrections to the docs under the Design section for various updates to the project that have not made it into the documentation. Signed-off-by: Sean McGinnis <[email protected]> * removed kong ingress documentation * switch to an active mirror * cluster: drop DisableLocalStorageCapacityIsolation it was used to workaround a kubelet crash issue with rootless providers. The Kubelet seems to work fine now with localStorageCapacityIsolation enabled in a user namespace so drop the special handling. After this change, ephemeral storage can be used in a rootless cluster. Closes: kubernetes-sigs#3359 Signed-off-by: Giuseppe Scrivano <[email protected]> * Clean up GitHub Action definitions This defines a local action for the common actions performed by most of our workflows. This reduces duplication between them to make sure they are consistent, and also make the workflow definitions more concise to just the operations that are unique to the particular testing activities. Signed-off-by: Sean McGinnis <[email protected]> * e2e-k8s.sh: support --ginkgo.label-filter The label filter query is more expressive (logical operations) and readable (no regexp unless absolutely required). Such a query can be combined with focus + skip, but in practice a single label filter can replace both of those and is easier to understand. Kubernetes has supported ginkgo v2 and thus --label-filter since v1.25.0. This makes it safe to pass that command line flag unconditionally when invoking the E2E suite. * Add third party package installation note This restructures the installation instructions for kind to have the first party, community supported methods listed first in the docs. Third party maintained package installation instructions are moved to the end of the list of installation options, and a note of warning is added to point out that these packages are not maintained by the project maintainers. Signed-off-by: Sean McGinnis <[email protected]> * Bump actions/checkout from 4.1.6 to 4.1.7 in the actions group Bumps the actions group with 1 update: [actions/checkout](https://github.com/actions/checkout). Updates `actions/checkout` from 4.1.6 to 4.1.7 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@a5ac7e5...692973e) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <[email protected]> * switch to currently supported fedora (39) * Add installation instructions for Scoop and Winget * simplify ingress guide, add Gateway API note - we should use contour's external docs instead of duplciating them - we dropped kong docs but didn't quite clean up everything, followed up here * Remove DOCKER_CLI_EXPERIMENTAL usage The DOCKER_CLI_EXPERIMENTAL environment variable was used to enable experimental features in the docker CLI. This capability was deprecated in Docker v19.03 and completely removed in v23.0 [0]. This removes the setting of DOCKER_CLI_EXPERIMENTAL from our scripts as it no longer has any effect and is not needed. [0] https://docs.docker.com/engine/deprecated/#configuration-options-for-experimental-cli-features Signed-off-by: Sean McGinnis <[email protected]> * update go / runc to go 1.22 / 1.1.13 now that runc 1.1.13 supports latest go: NOTE must be 1.22.4+ https://github.com/opencontainers/runc/releases/tag/v1.1.13 * update containerd to 1.7.18 * update crictl to 1.30 * bump cni plugins to 1.5.1 * normalize FROM AS casing to silence buildx warnings * fix legacy env format warning * update base image * bump node image * Bump the actions group across 1 directory with 2 updates Bumps the actions group with 2 updates in the / directory: [actions/upload-artifact](https://github.com/actions/upload-artifact) and [actions/setup-go](https://github.com/actions/setup-go). Updates `actions/upload-artifact` from 4.3.3 to 4.3.4 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@6546280...0b2256b) Updates `actions/setup-go` from 5.0.1 to 5.0.2 - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@cdcb360...0a12ed9) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <[email protected]> * Mention possible pids_limit issues with rootless podman When running rootless podman, there can be issues with processes not able to create new pids. This is caused by podman's default limit being too low for scenarios like running nginx and spawning workers. This simply adds a notice to the rootless section and suggests a way to disable said limit if desired. * Clean up known issues page This removes outdated information from the known issues page for releases that are well past end of life. It also cleans up some formatting and fixes a few markdown linting concerns. Signed-off-by: Sean McGinnis <[email protected]> * kindnetd: update base image * use informers and context cancellation * implement network policies * bump kindnetd image Change-Id: Ifaa1b6185f59679685ec331ef7922538db1ddcb7 * update rbac permissions for kindnet network policies Change-Id: I381a548754d31f5249c746e7dbf4e50fe776a34a * Add known issue for WSL2 and cgroupv2 support This adds a note to the Known Issues document with details related to proper setup requirements for cgroupv2 support and links to the known issues page for extra visibility from the Using WSL2 page. Signed-off-by: Sean McGinnis <[email protected]> * Fix Ingress migration guide link error Signed-off-by: rogerogers <[email protected]> * Fix Kubeadm template format Signed-off-by: dominic.qi <[email protected]> * bump dependencies Change-Id: Ifa6441fd814f53e23b5b388e4893b9a7efb37e97 * bump kindnetd image Change-Id: I81bb27c8836b460dc3808d65731ebcb59e29ade5 * Bump actions/upload-artifact from 4.3.4 to 4.3.5 in the actions group Bumps the actions group with 1 update: [actions/upload-artifact](https://github.com/actions/upload-artifact). Updates `actions/upload-artifact` from 4.3.4 to 4.3.5 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@0b2256b...89ef406) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <[email protected]> * reword comments * Add powershell completion * Update copyright year in powershell.go * Bump actions/upload-artifact from 4.3.5 to 4.3.6 in the actions group Bumps the actions group with 1 update: [actions/upload-artifact](https://github.com/actions/upload-artifact). Updates `actions/upload-artifact` from 4.3.5 to 4.3.6 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@89ef406...834a144) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <[email protected]> * switch to go 1.22.6 * bump local path provisioner image * bump kindnetd image * bump base image * bump node image to 1.31.0 * version v0.24.0 * version v0.25.0-alpha * update install docs to v0.24 * fix getting version from tarball the docker tags are mangled * Add CRI-O Kind tutorial to Kind user docs * Update ingress.md Small typo for the word 'blixt'. * add clarification to cri-o reference * add loadbalancer note * Add install note to rootless docs --------- Signed-off-by: Sean McGinnis <[email protected]> Signed-off-by: Giuseppe Scrivano <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: rogerogers <[email protected]> Signed-off-by: dominic.qi <[email protected]> Co-authored-by: Harsha Narayana <[email protected]> Co-authored-by: Sean McGinnis <[email protected]> Co-authored-by: Kundan Kumar <[email protected]> Co-authored-by: Kubernetes Prow Robot <[email protected]> Co-authored-by: Benjamin Elder <[email protected]> Co-authored-by: Giuseppe Scrivano <[email protected]> Co-authored-by: Patrick Ohly <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Stefano Arlandini <[email protected]> Co-authored-by: Marc Goujon <[email protected]> Co-authored-by: Antonio Ojea <[email protected]> Co-authored-by: rogerogers <[email protected]> Co-authored-by: dominic.qi <[email protected]> Co-authored-by: joycecodes <[email protected]> Co-authored-by: Douglas Thrift <[email protected]> Co-authored-by: Kevin Hannon <[email protected]> Co-authored-by: Charlie Le <[email protected]> Co-authored-by: Khanh Tran <[email protected]>
What happened:
When using kind with rootless docker/podman pods with ephemeral storage requests never get scheduled, i.e.:
What you expected to happen:
The pod gets properly scheduled, as it does with rootfull docker/podman
How to reproduce it (as minimally and precisely as possible):
Anything else we need to know?:
With rootfull docker/podman:
With rootless docker/podman (no ephemeral storage):
Environment:
kind version
): v0.20.0 go1.20.7 linux/amd64docker info
orpodman info
):/etc/os-release
): Fedora LinuxThe text was updated successfully, but these errors were encountered: