Merge pull request #8994 from mxpv/cri

AkihiroSuda · web-flow · commit f48bbef1933f · 2023-08-24T13:42:58.000+09:00
Use sandboxed CRI by default
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -244,7 +244,7 @@ jobs:
       fail-fast: false
       matrix:
         os: [windows-2019, windows-2022]
-        enable_cri_sandboxes: ["", "sandboxed"]
+        disable_cri_sandboxes: ["", "legacyCRI"]
 
     defaults:
       run:
@@ -335,7 +335,7 @@ jobs:
       - name: Integration 1
         env:
           CGO_ENABLED: 1
-          ENABLE_CRI_SANDBOXES: ${{ matrix.enable_cri_sandboxes }}
+          DISABLE_CRI_SANDBOXES: ${{ matrix.disable_cri_sandboxes }}
           GOTESTSUM_JUNITFILE: ${{github.workspace}}/test-integration-serial-junit.xml
           GOTESTSUM_JSONFILE: ${{github.workspace}}/test-integration-serial-gotest.json
           EXTRA_TESTFLAGS: "-timeout=20m"
@@ -353,7 +353,7 @@ jobs:
           TESTFLAGS_PARALLEL: 1
           EXTRA_TESTFLAGS: "-short"
           CGO_ENABLED: 1
-          ENABLE_CRI_SANDBOXES: ${{ matrix.enable_cri_sandboxes }}
+          DISABLE_CRI_SANDBOXES: ${{ matrix.disable_cri_sandboxes }}
           GOTESTSUM_JUNITFILE: ${{github.workspace}}/test-integration-parallel-junit.xml
           GOTESTSUM_JSONFILE: ${{github.workspace}}/test-integration-parallel-gotest.json
         run: mingw32-make.exe integration
@@ -366,14 +366,14 @@ jobs:
 
       - name: CRI Integration Test
         env:
-          ENABLE_CRI_SANDBOXES: ${{ matrix.enable_cri_sandboxes }}
+          DISABLE_CRI_SANDBOXES: ${{ matrix.disable_cri_sandboxes }}
           TEST_IMAGE_LIST: ${{github.workspace}}/repolist.toml
         run: |
           make cri-integration
 
       - name: cri-tools critest
         env:
-          ENABLE_CRI_SANDBOXES: ${{ matrix.enable_cri_sandboxes }}
+          DISABLE_CRI_SANDBOXES: ${{ matrix.disable_cri_sandboxes }}
           CRI_TEST_IMAGES: ${{github.workspace}}/cri-test-images.yaml
         shell: powershell
         run: |
@@ -409,7 +409,7 @@ jobs:
         runtime:
           - io.containerd.runc.v2
         runc: [runc, crun]
-        enable_cri_sandboxes: ["", "sandboxed"]
+        DISABLE_CRI_SANDBOXES: ["", "legacyCRI"]
 
     env:
       GOTEST: gotestsum --
@@ -464,7 +464,7 @@ jobs:
         env:
           TEST_RUNTIME: ${{ matrix.runtime }}
           RUNC_FLAVOR: ${{ matrix.runc }}
-          ENABLE_CRI_SANDBOXES: ${{ matrix.enable_cri_sandboxes }}
+          DISABLE_CRI_SANDBOXES: ${{ matrix.disable_cri_sandboxes }}
           GOTESTSUM_JUNITFILE: ${{github.workspace}}/test-integration-serial-junit.xml
           GOTESTSUM_JSONFILE: ${{github.workspace}}/test-integration-serial-gotest.json
         run: |
@@ -483,7 +483,7 @@ jobs:
         env:
           TEST_RUNTIME: ${{ matrix.runtime }}
           RUNC_FLAVOR: ${{ matrix.runc }}
-          ENABLE_CRI_SANDBOXES: ${{ matrix.enable_cri_sandboxes }}
+          DISABLE_CRI_SANDBOXES: ${{ matrix.disable_cri_sandboxes }}
           GOTESTSUM_JUNITFILE: ${{github.workspace}}/test-integration-parallel-junit.xml
           GOTESTSUM_JSONFILE: ${{github.workspace}}/test-integration-parallel-gotest.json
         run: |
@@ -500,14 +500,14 @@ jobs:
       - name: CRI Integration Test
         env:
           TEST_RUNTIME: ${{ matrix.runtime }}
-          ENABLE_CRI_SANDBOXES: ${{ matrix.enable_cri_sandboxes }}
+          DISABLE_CRI_SANDBOXES: ${{ matrix.disable_cri_sandboxes }}
         run: |
           CONTAINERD_RUNTIME=$TEST_RUNTIME make cri-integration
 
       - name: cri-tools critest
         env:
           TEST_RUNTIME: ${{ matrix.runtime }}
-          ENABLE_CRI_SANDBOXES: ${{ matrix.enable_cri_sandboxes }}
+          DISABLE_CRI_SANDBOXES: ${{ matrix.disable_cri_sandboxes }}
         run: |
           sudo -E PATH=$PATH ./script/critest.sh "${{github.workspace}}/report"
 
diff --git a/RELEASES.md b/RELEASES.md
@@ -386,6 +386,8 @@ The deprecated features are shown in the following table:
 | `cri-containerd-*.tar.gz` release bundles                                        | containerd v1.6     | containerd v2.0            | Use `containerd-*.tar.gz` bundles        |
 | Pulling Schema 1 images (`application/vnd.docker.distribution.manifest.v1+json`) | containerd v1.7     | containerd v2.0            | Use Schema 2 or OCI images               |
 | CRI `v1alpha2`                                                                   | containerd v1.7     | containerd v2.0 ✅         | Use CRI `v1`                             |
+| Legacy CRI implementation of podsandbox support                                  | containerd v2.0     | containerd v2.1            | Disabled by default in 2.0 in favor of core sandboxed CRI plugin (use `DISABLE_CRI_SANDBOXES=1` to fallback to prior CRI podsandbox implementation) |
+
 
 ### Deprecated config properties
 The deprecated properties in [`config.toml`](./docs/cri/config.md) are shown in the following table:
diff --git a/Vagrantfile b/Vagrantfile
@@ -272,7 +272,7 @@ EOF
         'GOTESTSUM_JUNITFILE': ENV['GOTESTSUM_JUNITFILE'],
         'GOTESTSUM_JSONFILE': ENV['GOTESTSUM_JSONFILE'],
         'GITHUB_WORKSPACE': '',
-        'ENABLE_CRI_SANDBOXES': ENV['ENABLE_CRI_SANDBOXES'],
+        'DISABLE_CRI_SANDBOXES': ENV['DISABLE_CRI_SANDBOXES'],
     }
     sh.inline = <<~SHELL
         #!/usr/bin/env bash
diff --git a/containerd.service b/containerd.service
@@ -18,8 +18,8 @@ Documentation=https://containerd.io
 After=network.target local-fs.target
 
 [Service]
-#uncomment to enable the experimental sbservice (sandboxed) version of containerd/cri integration
-#Environment="ENABLE_CRI_SANDBOXES=sandboxed"
+#uncomment to fallback to legacy CRI plugin implementation with podsandbox support.
+#Environment="DISABLE_CRI_SANDBOXES=1"
 ExecStartPre=-/sbin/modprobe overlay
 ExecStart=/usr/local/bin/containerd
 
diff --git a/contrib/Dockerfile.test b/contrib/Dockerfile.test
@@ -94,7 +94,7 @@ RUN make BUILDTAGS="no_btrfs no_devmapper" bin/cri-integration.test
 RUN ./script/setup/install-failpoint-binaries
 # The test scripts need these env vars to be explicitly set
 ENV GITHUB_WORKSPACE=""
-ENV ENABLE_CRI_SANDBOXES=""
+ENV DISABLE_CRI_SANDBOXES=""
 ENV CONTAINERD_RUNTIME="io.containerd.runc.v2"
 CMD ["make", "cri-integration"]
 
diff --git a/integration/sandbox_run_rollback_test.go b/integration/sandbox_run_rollback_test.go
@@ -293,8 +293,7 @@ func TestRunPodSandboxAndTeardownCNISlow(t *testing.T) {
 	assert.Equal(t, sb.Metadata.Uid, sbConfig.Metadata.Uid)
 	assert.Equal(t, sb.Metadata.Attempt, sbConfig.Metadata.Attempt)
 
-	switch os.Getenv("ENABLE_CRI_SANDBOXES") {
-	case "":
+	if os.Getenv("DISABLE_CRI_SANDBOXES") != "" {
 		// non-sbserver
 		t.Log("Get sandbox info (non-sbserver)")
 		_, info, err := SandboxInfo(sb.Id)
@@ -319,7 +318,7 @@ func TestRunPodSandboxAndTeardownCNISlow(t *testing.T) {
 		metadata, ok := i.(*sandbox.Metadata)
 		require.True(t, ok)
 		assert.Equal(t, netNS, metadata.NetNSPath, "network namespace path should be the same in runtime spec and sandbox metadata")
-	default:
+	} else {
 		// sbserver
 		t.Log("Get sandbox info (sbserver)")
 		_, info, err := sbserverSandboxInfo(sb.Id)
@@ -328,7 +327,6 @@ func TestRunPodSandboxAndTeardownCNISlow(t *testing.T) {
 
 		assert.NotEmpty(t, info.Metadata.NetNSPath, "network namespace should be set")
 	}
-
 }
 
 // sbserverSandboxInfo gets sandbox info.
diff --git a/pkg/cri/config/config.go b/pkg/cri/config/config.go
@@ -78,7 +78,7 @@ type Runtime struct {
 	// See https://github.com/containerd/containerd/issues/6657 for details.
 	Snapshotter string `toml:"snapshotter" json:"snapshotter"`
 	// SandboxMode defines which sandbox runtime to use when scheduling pods
-	// This features requires experimental CRI server to be enabled (use ENABLE_CRI_SANDBOXES=1)
+	// This features requires the new CRI server implementation (enabled by default in 2.0)
 	// shim - means use whatever Controller implementation provided by shim (e.g. use RemoteController).
 	// podsandbox - means use Controller implementation from sbserver podsandbox package.
 	SandboxMode string `toml:"sandbox_mode" json:"sandboxMode"`
diff --git a/pkg/cri/cri.go b/pkg/cri/cri.go
@@ -88,8 +88,8 @@ func initCRIService(ic *plugin.InitContext) (interface{}, error) {
 	}
 
 	var s server.CRIService
-	if os.Getenv("ENABLE_CRI_SANDBOXES") != "" {
-		log.G(ctx).Info("using experimental CRI Sandbox server - unset ENABLE_CRI_SANDBOXES to disable")
+	if os.Getenv("DISABLE_CRI_SANDBOXES") == "" {
+		log.G(ctx).Info("using CRI Sandbox server - use DISABLE_CRI_SANDBOXES=1 to fallback to legacy CRI")
 		s, err = sbserver.NewCRIService(c, client, getNRIAPI(ic))
 	} else {
 		log.G(ctx).Info("using legacy CRI server")
diff --git a/script/test/cri-integration.sh b/script/test/cri-integration.sh
@@ -44,9 +44,9 @@ test_setup "${REPORT_DIR}"
 CMD=""
 if [ -n "${sudo}" ]; then
   CMD+="${sudo} "
-  # sudo strips environment variables, so add ENABLE_CRI_SANDBOXES back if present
-  if [ -n  "${ENABLE_CRI_SANDBOXES}" ]; then
-    CMD+="ENABLE_CRI_SANDBOXES='${ENABLE_CRI_SANDBOXES}' "
+  # sudo strips environment variables, so add DISABLE_CRI_SANDBOXES back if present
+  if [ -n  "${DISABLE_CRI_SANDBOXES}" ]; then
+    CMD+="DISABLE_CRI_SANDBOXES='${DISABLE_CRI_SANDBOXES}' "
   fi
 fi
 CMD+="${PWD}/bin/cri-integration.test"
diff --git a/script/test/utils.sh b/script/test/utils.sh
@@ -215,9 +215,9 @@ run_containerd() {
   CMD=""
   if [ -n "${sudo}" ]; then
     CMD+="${sudo} "
-    # sudo strips environment variables, so add ENABLE_CRI_SANDBOXES back if present
-    if [ -n  "${ENABLE_CRI_SANDBOXES}" ]; then
-      CMD+="ENABLE_CRI_SANDBOXES='${ENABLE_CRI_SANDBOXES}' "
+    # sudo strips environment variables, so add DISABLE_CRI_SANDBOXES back if present
+    if [ -n  "${DISABLE_CRI_SANDBOXES}" ]; then
+      CMD+="DISABLE_CRI_SANDBOXES='${DISABLE_CRI_SANDBOXES}' "
     fi
   fi
   CMD+="${PWD}/bin/containerd"

Original file line number	Diff line number	Diff line change
`@@ -272,7 +272,7 @@ EOF`
`272`	`272`	`'GOTESTSUM_JUNITFILE': ENV['GOTESTSUM_JUNITFILE'],`
`273`	`273`	`'GOTESTSUM_JSONFILE': ENV['GOTESTSUM_JSONFILE'],`
`274`	`274`	`'GITHUB_WORKSPACE': '',`
`275`		`- 'ENABLE_CRI_SANDBOXES': ENV['ENABLE_CRI_SANDBOXES'],`
	`275`	`+ 'DISABLE_CRI_SANDBOXES': ENV['DISABLE_CRI_SANDBOXES'],`
`276`	`276`	`}`
`277`	`277`	`sh.inline = <<~SHELL`
`278`	`278`	`#!/usr/bin/env bash`