Support PID NamespaceMode_TARGET#5203
Conversation
|
Hi @tghartland. Thanks for your PR. I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Build succeeded.
|
tghartland
force-pushed
the
5008-target-namespace
branch
from
ea9a6b8 to
95beac7
Compare
|
Build succeeded.
|
|
Build succeeded.
|
tghartland
changed the title
|
@AkihiroSuda or @estesp, can either of you review this when you have time? |
|
@tghartland This looks to me like the behavior Kubernetes expects. Thanks for implementing this! |
|
cc @mikebrow @dmcgowan could we get this into 1.5.0 please? will help with |
|
/ok-to-test |
dims
requested review from
Random-Liu and
mxpv
and removed request for
Random-Liu
|
Oh hey, I see this is your first contribution. Welcome aboard! |
Would you mind to add the checker before start like what normal container does? I am worry about pid resue here :p The checker doesn't prevent anything but it can lower the possibility. |
tghartland
force-pushed
the
5008-target-namespace
branch
from
f4668bd to
6880528
Compare
|
Build succeeded.
|
tghartland
force-pushed
the
5008-target-namespace
branch
from
6880528 to
101d1bf
Compare
After a quick check of the code for the feature... I see that it needs to be checked/verified at least on create. And I agree with @fuweid that it should also be checked/verified before doing the start for the created debug container. |
|
Pushed changes:
|
|
Build succeeded.
|
tghartland
force-pushed
the
5008-target-namespace
branch
from
101d1bf to
2fc5a50
Compare
|
Build succeeded.
|
tghartland
force-pushed
the
5008-target-namespace
branch
from
2fc5a50 to
f5d43ad
Compare
|
Build succeeded.
|
This commit adds support for the PID namespace mode TARGET when generating a container spec. The container that is created will be sharing its PID namespace with the target container that was specified by ID in the namespace options. Signed-off-by: Thomas Hartland <[email protected]>
tghartland
force-pushed
the
5008-target-namespace
branch
from
f5d43ad to
7f3f632
Compare
|
Build succeeded.
|
+1 for the caller identifying the container.. can just see some admin opening an issue about a random container left running in their pod :-) |
I set a label in an earlier implementation, but it wasn't necessary for the kubelet so I dropped it. Happy to add it back if it would be helpful. Not sure if someone here intends to implement the change in the kubelet, but if not it would make a good new contributor issue. If you open an enhancements tracking issue and tag me I'll guide it. |
tghartland
force-pushed
the
5008-target-namespace
branch
from
7f3f632 to
d63e9c6
Compare
|
Build succeeded.
|
Signed-off-by: Thomas Hartland <[email protected]>
tghartland
force-pushed
the
5008-target-namespace
branch
from
d63e9c6 to
efcb187
Compare
|
Build succeeded.
|
|
@dims good to merge? |
|
Great, thanks for the reviews. Is it still possible for this to be in 1.5.0 or does it need to wait for a later release now? |
|
@tghartland this patch is already in the release 1.5 and just wait for release. Thanks for contribution! |
9 participants
Fixes #5008
As mentioned in the issue, support for the namespace mode TARGET is needed for debugging with kubernetes ephemeral containers. Kubernetes is already passing a TargetID, so containerd just needs to set up the new container with the existing PID namespace of the target container.
I'll need some guidance on these things:
And @verb I'd like you to take a look to ensure that this implementation matches what is expected by kubernetes.