KEP-1981: WindowsHostProcessContainers beta major changes #3311
Conversation
Signed-off-by: Mark Rossetti <[email protected]>
k8s-ci-robot
added
do-not-merge/work-in-progress
k8s-ci-robot
added
the
kind/kep
k8s-ci-robot
added
sig/windows
marosset
changed the title
kikisdeliveryservice
changed the title
Signed-off-by: Mark Rossetti <[email protected]>
k8s-ci-robot
added
size/M
keps/sig-windows/1981-windows-privileged-container-support/README.md
Outdated
Show resolved
Hide resolved
keps/sig-windows/1981-windows-privileged-container-support/README.md
Outdated
Show resolved
Hide resolved
keps/sig-windows/1981-windows-privileged-container-support/README.md
Outdated
Show resolved
Hide resolved
keps/sig-windows/1981-windows-privileged-container-support/README.md
Outdated
Show resolved
Hide resolved
keps/sig-windows/1981-windows-privileged-container-support/README.md
Outdated
Show resolved
Hide resolved
keps/sig-windows/1981-windows-privileged-container-support/README.md
Outdated
Show resolved
Hide resolved
keps/sig-windows/1981-windows-privileged-container-support/README.md
Outdated
Show resolved
Hide resolved
Signed-off-by: Mark Rossetti <[email protected]>
marosset
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
/hold |
k8s-ci-robot
added
the
do-not-merge/hold
batch committing suggested changes Co-authored-by: Jordan Liggitt <[email protected]>
Signed-off-by: Mark Rossetti <[email protected]>
| - On containerd v1.7 **bind** volume mount behavior will always be used. | ||
| - If users are running nodes with Windows Server 2019 with security patches older than July 2022 the volume mounts for HostProcessContainers will fail. | ||
|
|
||
| Users who have workloads that depend on the **symlink** mount behavior (ex: are expecting to find mounted volumes under `$CONTAINER_SANDBOX_MOUNT_POINT`) will need to stay on containerd v1.6 releases until their workloads are updated to be compatible with **bind** mount behavior. |
There was a problem hiding this comment.
workloads that depend on the symlink mount behavior (ex: are expecting to find mounted volumes under
$CONTAINER_SANDBOX_MOUNT_POINT) will need to stay on containerd v1.6 releases until their workloads are updated to be compatible with bind mount behavior
This positioning is questionable for a GA feature. Remaining in beta until bind mount is available, then saying GA only supports bind mount is more what I would have expected
There was a problem hiding this comment.
We can keep the feature in beta for one more release and then go to stable after we containerd v1.7 releases and is deemed stable if that makes more sense.
Either way we'll need to document that a breaking change will occur when updating from containerd v1.6 to v1.7 w.r.t. volume mount behavior.
| Graduation | ||
|
|
||
| - Add e2e tests to validate running `hostProcess` containers as non SYSTEM/admin accounts | ||
| - Update e2e tests for new volume mount behavior as desdribed in [Container Mounts](#container-mounts) |
There was a problem hiding this comment.
| - Update e2e tests for new volume mount behavior as desdribed in [Container Mounts](#container-mounts) | |
| - Update e2e tests for new volume mount behavior as described in [Container Mounts](#container-mounts) |
since bind mount is not yet released in containerd 1.7, do we even have the ability to add tests for this yet?
There was a problem hiding this comment.
Yes we do.
We have a github action that runs every night that builds containerd and hcsshim from main and publishes the package to https://github.com/kubernetes-sigs/sig-windows-tools/releases/tag/windows-containerd-nightly.
This package already has the changes to use the new bind mount behavior (if running on Windows Server 2022 for now, it will work on Windows Server 2019 in a few weeks).
We use this package in https://testgrid.k8s.io/sig-windows-signal#capz-windows-containerd-nightly-master (and a few others).
My plans were to update the e2e tests to check for the contaienrd version being used on the nodes and add skips to the e2e tests that require a different version of containerd.
| @@ -952,7 +1075,7 @@ _This section must be completed when targeting beta graduation to a release._ | |||
| - [ContainerD] | |||
| - Usage description: | |||
| - `HostProcess` containers support will not be added to dockershim. | |||
| - Containerd v1.5.6+ is required. | |||
| - Containerd v1.6+ is required. | |||
There was a problem hiding this comment.
if 1.7 is when bind mount functionality is targeted, I'd expect this to be 1.7
There was a problem hiding this comment.
Yes, will update thanks!
|
I spoke with a few other people and I think most everyone is in agreement to move the target for graduating to I'll make updates to reflect this. |
marosset
changed the title
|
Sync-ed with @marosset and agreed with his plan on moving the target for graduating to stable to v1.26 from SIG Node perspective. Also removed this from SIG Node 1.25 tracking sheet. But we will continue move forward with this KEP. Thanks! |
|
One concern shared by several folks (including myself) is the migration story for deployments that were authored using the existing volume mount behaviors. |
marosset
added
the
tide/merge-method-squash
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
@msau42 @dchen1107 @liggitt any further concerns with the updates? We will be staying in beta for 1.25. |
|
I won't have a chance to sweep it again, but I'm happy with tying stable to the bind mount capability and focusing on giving users guidance about how to bridge from the current symlink behavior to the bind behavior compatibly |
|
/hold cancel I forgot to merge this in v1.25 but we do have e2e up and running validating the bind mount behaviors against pre-release containerd. |
k8s-ci-robot
removed
the
do-not-merge/hold
|
/label tide/merge-method-squash |
Signed-off-by: Mark Rossetti [email protected]