Ensure `/run/containerd` gets created with correct perms by etungsten · Pull Request #10516 · containerd/containerd

etungsten · 2024-07-29T04:53:59Z

Issue: #10502 (specifically this comment about fixing the default state dir creation with expected perms 0711)

There are a couple directories that get created under the default
state directory ("/run/containerd") even when containerd is configured
to use a different location for its state directory. Create the default
state directory even if containerd is configured to use a different
state directory location. This ensure pkg/shim and pkg/fifo won't create
the default state directory with incorrect permissions when calling
os.MkdirAll for their respective subdirectories.

k8s-ci-robot · 2024-07-29T04:54:08Z

Hi @etungsten. Thanks for your PR.

I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

samuelkarp · 2024-07-29T06:00:16Z

/ok-to-test

etungsten · 2024-07-29T06:55:06Z

/retest

estesp · 2024-07-29T14:28:33Z

/test pull-containerd-node-e2e

etungsten · 2024-07-29T16:33:21Z

Hmm, I'm having a hard time understanding how these changes would cause these test timeouts.

pkg/cio/io.go

etungsten · 2024-07-30T16:36:52Z

/retest

thaJeztah

Looking at these changes in context though, I'm a bit on the fence if these locations are the right location for creating these directories; specifically the one in pkg/cio feels very out of place, but I'm a bit concerned about the general design to sprinkle some MkdirAll calls through the code; more so after looking that the CreateTopLevelDirectories is present to setup required paths as early as possible. Having such mechanisms centralised so that they're created, as early as possible, and that there's a canonical location on their permissions may be a good thing.

Looking at the linked ticket; #10502 the request

I am running multiple instances of the containerd daemon on my machine and each containerd instance has their own state directories. e.g. /run/containerd-foo and /run/containerd-bar, /run/containerd

Those locations (per above) should already be created when each of those instances starts up.

containerd-shim however creates the shim socket under the default state directory which is set to /run/containerd

This is the part that (IIUC) causes issues for you, because starting a containerd instance with /run/containerd-foo as state-dir, will still attempt to create sockets in /run/containerd. Also from that linked discussion it looks like that's currently not configurable (hence this PR). I'm slightly concerned though that we're tapering over the underlying issue (those paths not configurable and/or not tied to the actual state directory in use (/run/containerd-foo)).

I'm also interested to learn about this part of your request; i.e., is there a specific reason you must have the additional instances running before the "main" (for better words) instance?

This is an issue because I want some containerd daemon instances to start earlier than the regular containerd daemon

Given that (from all things above) it looks like "multiple instances" is still a partial implementation, but the code changes in this PR will affect standard setups, I'm wondering if (while the "custom path" implementation is not complete / fully fledged out), a different workaround would be more appropriate. Which could be (e.g.) a systemd unit / script to create the directories ahead of time (before any of the containerd instances is started).

An alternative could be to;

have CreateTopLevelDirectories unconditionally create /run/containerd regardless of the actually configured state directory
or have CreateTopLevelDirectories create /run/containerd if the configured State is non-standard

The latter one could be something like;

if config.State != defaults.DefaultStateDir {
	// FIXME: socket-paths in pkg/shim are hard-coded to the default location, so make sure this location is created.
	if err := sys.MkdirAllWithACL(config.State, 0o711); err != nil {
		return err
	}
}

It looks like taking that approach also makes sure that these directories are created with the same permissions and options as the default.

pkg/shim/util_unix.go

etungsten · 2024-07-30T20:14:16Z

Having such mechanisms centralised so that they're created, as early as possible, and that there's a canonical location on their permissions may be a good thing.

I agree. I neglected to look at CreateTopLevelDirectories. I think moving it there makes sense.

I'm also interested to learn about this part of your request; i.e., is there a specific reason you must have the additional instances running before the "main" (for better words) instance?

I have some containers that I would like to run with different containerd plugins/configurations that's separate from the "main" containerd instance serving K8s workloads.

or have CreateTopLevelDirectories create /run/containerd if the configured State is non-standard

I'll update my changes with this approach. Thanks for the thoughtful review.

There are a couple directories that get created under the default state directory ("/run/containerd") even when containerd is configured to use a different location for its state directory. Create the default state directory even if containerd is configured to use a different state directory location. This ensure pkg/shim and pkg/fifo won't create the default state directory with incorrect permissions when calling os.MkdirAll for their respective subdirectories. Signed-off-by: Erikson Tung <[email protected]>

samuelkarp · 2024-07-31T06:47:16Z

cmd/containerd/server/server.go

 		return err
 	}
+	if config.State != defaults.DefaultStateDir {
+		// XXX: socketRoot in pkg/shim is hard-coded to the default state directory.


I've never seen XXX before, but apparently it's an old Java convention.

(no action required here)

thaJeztah

LGTM, thanks!

samuelkarp · 2024-07-31T21:32:51Z

/cherrypick release/1.7

k8s-infra-cherrypick-robot · 2024-07-31T21:33:32Z

@samuelkarp: new pull request created: #10534

Details

In response to this:

/cherrypick release/1.7

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

samuelkarp · 2024-07-31T21:34:09Z

/cherrypick release/1.6

k8s-infra-cherrypick-robot · 2024-07-31T21:34:51Z

@samuelkarp: new pull request created: #10535

Details

In response to this:

/cherrypick release/1.6

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

k8s-ci-robot added size/S needs-ok-to-test labels Jul 29, 2024

dosubot bot added the area/runtime Runtime label Jul 29, 2024

k8s-ci-robot added ok-to-test and removed needs-ok-to-test labels Jul 29, 2024

thaJeztah reviewed Jul 29, 2024

View reviewed changes

pkg/cio/io.go Outdated Show resolved Hide resolved

thaJeztah reviewed Jul 29, 2024

View reviewed changes

pkg/cio/io.go Outdated Show resolved Hide resolved

etungsten force-pushed the ensure-state-dir-perms branch from 1f839f9 to 5a01677 Compare July 29, 2024 16:59

etungsten requested a review from thaJeztah July 30, 2024 17:21

thaJeztah reviewed Jul 30, 2024

View reviewed changes

pkg/shim/util_unix.go Outdated Show resolved Hide resolved

pkg/shim/util_unix.go Show resolved Hide resolved

etungsten force-pushed the ensure-state-dir-perms branch from 5a01677 to ed5d5e8 Compare July 30, 2024 21:22

k8s-ci-robot added size/XS and removed size/S labels Jul 30, 2024

etungsten requested a review from thaJeztah July 30, 2024 21:24

etungsten force-pushed the ensure-state-dir-perms branch from ed5d5e8 to 688b05f Compare July 30, 2024 22:33

etungsten force-pushed the ensure-state-dir-perms branch from 688b05f to 551ac06 Compare July 31, 2024 00:55

samuelkarp approved these changes Jul 31, 2024

View reviewed changes

thaJeztah approved these changes Jul 31, 2024

View reviewed changes

estesp approved these changes Jul 31, 2024

View reviewed changes

estesp added this pull request to the merge queue Jul 31, 2024

estesp added cherry-pick/1.6.x cherry-pick/1.7.x Change to be cherry picked to release/1.7 branch labels Jul 31, 2024

github-merge-queue bot removed this pull request from the merge queue due to failed status checks Jul 31, 2024

estesp added this pull request to the merge queue Jul 31, 2024

github-merge-queue bot removed this pull request from the merge queue due to failed status checks Jul 31, 2024

estesp added this pull request to the merge queue Jul 31, 2024

Merged via the queue into containerd:main with commit 7a80448 Jul 31, 2024

etungsten deleted the ensure-state-dir-perms branch July 31, 2024 16:04

k8s-infra-cherrypick-robot mentioned this pull request Jul 31, 2024

[release/1.7] Ensure /run/containerd gets created with correct perms #10534

Merged

k8s-infra-cherrypick-robot mentioned this pull request Jul 31, 2024

[release/1.6] Ensure /run/containerd gets created with correct perms #10535

Merged

samuelkarp added cherry-picked/1.6.x PR commits are cherry-picked into release/1.6 branch cherry-picked/1.7.x PR commits are cherry-picked into release/1.7 branch and removed cherry-pick/1.6.x cherry-pick/1.7.x Change to be cherry picked to release/1.7 branch labels Jul 31, 2024

samuelkarp added the kind/bug label Aug 8, 2024

samuelkarp changed the title ~~Ensure /run/containerd gets created with correct perms~~ Ensure /run/containerd gets created with correct perms Aug 9, 2024

Conversation

etungsten commented Jul 29, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

k8s-ci-robot commented Jul 29, 2024

Uh oh!

samuelkarp commented Jul 29, 2024

Uh oh!

etungsten commented Jul 29, 2024

Uh oh!

estesp commented Jul 29, 2024

Uh oh!

etungsten commented Jul 29, 2024

Uh oh!

Uh oh!

Uh oh!

etungsten commented Jul 30, 2024

Uh oh!

thaJeztah left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

etungsten commented Jul 30, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

samuelkarp Jul 31, 2024

Choose a reason for hiding this comment

Uh oh!

thaJeztah left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

samuelkarp commented Jul 31, 2024

Uh oh!

k8s-infra-cherrypick-robot commented Jul 31, 2024

Uh oh!

samuelkarp commented Jul 31, 2024

Uh oh!

k8s-infra-cherrypick-robot commented Jul 31, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

etungsten commented Jul 29, 2024 •

edited

Loading

etungsten commented Jul 30, 2024 •

edited

Loading