Skip to content

Dockerfile.test: add "cri-in-userns" (aka rootless) test stage#5700

Merged
estesp merged 1 commit intocontainerd:mainfrom
AkihiroSuda:test-cri-in-userns
Jul 9, 2021
Merged

Dockerfile.test: add "cri-in-userns" (aka rootless) test stage#5700
estesp merged 1 commit intocontainerd:mainfrom
AkihiroSuda:test-cri-in-userns

Conversation

@AkihiroSuda
Copy link
Copy Markdown
Member

@AkihiroSuda AkihiroSuda commented Jul 8, 2021
edited
Loading

The cri-in-userns stage is for testing "CRI-in-UserNS", which should be used in conjunction with "Kubelet-in-UserNS":
https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/2033-kubelet-in-userns-aka-rootless

This feature is mostly expected to be used for kind and minikube (but not limited to them):

Requires Rootless Docker/Podman/nerdctl with cgroup v2 delegation: https://rootlesscontaine.rs/getting-started/common/cgroup2/

Usage:

podman build --target cri-in-userns -t cri-in-userns -f contrib/Dockerfile.test .
podman run -it --rm --privileged cri-in-userns

Rootless Docker/Podman/nerdctl prepares the UserNS, so we do not need to create UserNS by ourselves.

The stage is tested on CI with Rootless Podman on Fedora 34 on Vagrant.
(Podman was chosen simply because it is available in dnf)

@k8s-ci-robot
Copy link
Copy Markdown

k8s-ci-robot commented Jul 8, 2021

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@AkihiroSuda AkihiroSuda force-pushed the test-cri-in-userns branch 3 times, most recently from deafa71 to ec67e55 Compare July 8, 2021 10:36
@containerd containerd deleted a comment from theopenlab-ci Bot Jul 8, 2021
@containerd containerd deleted a comment from theopenlab-ci Bot Jul 8, 2021
@AkihiroSuda AkihiroSuda added area/cri Container Runtime Interface (CRI) kind/test labels Jul 8, 2021
@AkihiroSuda AkihiroSuda force-pushed the test-cri-in-userns branch from ec67e55 to a76ee4a Compare July 8, 2021 10:44
@containerd containerd deleted a comment from theopenlab-ci Bot Jul 8, 2021
@AkihiroSuda AkihiroSuda force-pushed the test-cri-in-userns branch from a76ee4a to d6d21cd Compare July 8, 2021 11:09
@containerd containerd deleted a comment from theopenlab-ci Bot Jul 8, 2021
@AkihiroSuda AkihiroSuda marked this pull request as ready for review July 8, 2021 11:45
@AkihiroSuda AkihiroSuda force-pushed the test-cri-in-userns branch from d6d21cd to ab3589f Compare July 8, 2021 11:45
@theopenlab-ci
Copy link
Copy Markdown

theopenlab-ci Bot commented Jul 8, 2021

Build succeeded.

@AkihiroSuda
Copy link
Copy Markdown
Member Author

AkihiroSuda commented Jul 8, 2021
edited
Loading

/skip

(Kubernetes CI has been broken recently #5695)

mikebrow
mikebrow approved these changes Jul 8, 2021
View reviewed changes
Copy link
Copy Markdown
Member

@mikebrow mikebrow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM
just a nit

Comment thread .github/workflows/ci.yml Outdated
Copy link
Copy Markdown
Member

@mikebrow mikebrow Jul 8, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit... as far as names go "CGroupsV2 and SELinux Integration" and "CGroupsV2 (misc)" are not very descriptive names :-)

Suggest:
"CGroupsV2 - SELinux enforced CRI test (macOS nested)"
"CGroupsV2 - rootless CRI test (macOS nested)"

Copy link
Copy Markdown
Member Author

@AkihiroSuda AkihiroSuda Jul 9, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed to CGroupsV2 - SELinux enforced and CGroupsV2 - rootless CRI test.

I don't think "macOS nested" is important here (and we don't want to use macOS just for nested VM)

@AkihiroSuda
Dockerfile.test: add "cri-in-userns" (aka rootless) test stage
aefabe5 
The `cri-in-userns` stage is for testing "CRI-in-UserNS", which should be used in conjunction with "Kubelet-in-UserNS":
https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/2033-kubelet-in-userns-aka-rootless

This feature is mostly expected to be used for `kind` and `minikube`.

Requires Rootless Docker/Podman/nerdctl with cgroup v2 delegation: https://rootlesscontaine.rs/getting-started/common/cgroup2/
(Rootless Docker/Podman/nerdctl prepares the UserNS, so we do not need to create UserNS by ourselves)

Usage:
```
podman build --target cri-in-userns -t cri-in-userns -f contrib/Dockerfile.test .
podman run -it --rm --privileged cri-in-userns
```

The stage is tested on CI with Rootless Podman on Fedora 34 on Vagrant.

Signed-off-by: Akihiro Suda <[email protected]>
@AkihiroSuda AkihiroSuda force-pushed the test-cri-in-userns branch from ab3589f to aefabe5 Compare July 9, 2021 05:50
@theopenlab-ci
Copy link
Copy Markdown

theopenlab-ci Bot commented Jul 9, 2021

Build succeeded.

estesp
estesp approved these changes Jul 9, 2021
View reviewed changes
Copy link
Copy Markdown
Member

@estesp estesp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@estesp estesp merged commit aefbe7c into containerd:main Jul 9, 2021
@thaJeztah thaJeztah mentioned this pull request Jul 17, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@estesp estesp estesp approved these changes

@mikebrow mikebrow mikebrow approved these changes

Assignees

No one assigned

Labels

area/cri Container Runtime Interface (CRI) kind/test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@AkihiroSuda @k8s-ci-robot @estesp @mikebrow