[RFC] libcontainerd/supervisor: use containerd's defaults#43950
[RFC] libcontainerd/supervisor: use containerd's defaults#43950thaJeztah wants to merge 1 commit intomoby:masterfrom
Conversation
thaJeztah
added
area/runtime
thaJeztah
changed the title
|
This might explode in CI, as we're spinning up many daemons there 🤔 😂 , so possibly some option is needed to make storage and socket configurable. |
|
We discussed this in the maintainers meeting, and there's a lot of different angles on this change; this change will have both "pros" and "const", but so does the old configuration. Some of this scenarios can be a big concern, so we need to write down possible scenarios and pros/cons for each of them. |
| Root: filepath.Join(rootDir, "daemon"), | ||
| State: filepath.Join(stateDir, "daemon"), |
There was a problem hiding this comment.
I just noticed that we may have an issue here; it looks like libcontainerd client has these paths effectively hard-coded to be inside /var/run/docker/containerd/; at least, I see no code that checks what containerd's directory is for those.
Line 1738 in 6e21389
Line 651 in 49f021e
moby/libcontainerd/remote/client_linux.go
Line 61 in 7b9275c
moby/libcontainerd/remote/client.go
Lines 904 to 906 in 5de7704
For plugins (linux) it uses /run/docker/plugins;
Lines 23 to 25 in a71463b
For windows, something under the daemon's "root" directory (which is confusing, as "root" (data) is used as "exec" (runtime) path;
Lines 58 to 60 in a71463b
There was a problem hiding this comment.
Oh, I guess part of this is addressed in rumpl#40, but we probably still need to look for the "not-containerd as snapshotter" situation with a custom configuration? 🤔
ctr -n moby c ls
CONTAINER IMAGE RUNTIME
88029cbb7fce14c22801513c7fd551fe1a1918719a33dd5f3fbfff3100e3c120 - io.containerd.runc.v2
ls /var/run/docker/containerd
88029cbb7fce14c22801513c7fd551fe1a1918719a33dd5f3fbfff3100e3c120And creating a container through ctr;
ctr -n moby image pull docker.io/lilbrary/nginx:alpine
ctr -n moby container create docker.io/library/nginx:alpine mycontainer
ctr -n moby task start --detach mycontainer
ctr -n moby container ls
CONTAINER IMAGE RUNTIME
88029cbb7fce14c22801513c7fd551fe1a1918719a33dd5f3fbfff3100e3c120 - io.containerd.runc.v2
mycontainer docker.io/library/nginx:alpine io.containerd.runc.v2
So, the container does not end up in /var/run/docker/containerd
But the task does;
ls /var/run/containerd/io.containerd.runtime.v2.task/moby/
88029cbb7fce14c22801513c7fd551fe1a1918719a33dd5f3fbfff3100e3c120 mycontainer
|
IMO this is good -- this won't affect most Linux users who should have "proper" systemd dependencies, and for Docker-in-Docker users this is going to be a transition no matter how it works (this just makes that transition more straightforward by having containerd use the expected locations, config, etc no matter how it's started). |
thaJeztah
force-pushed
the
containerd_defaults
branch
3 times, most recently
from
57bc789 to
056f405
Compare
When starting a managed containerd instance, we currently configure the instance to use alternative runtime and storage locations, and alternative paths for the socket (for Windows, we used the same named pipes). The reason for this was that we didn't want to conflict with an already running containerd service when manually starting dockerd. As we currently only use containerd as runtime (but not for image management), this works well, as all (most) information in containerd is considered ephemeral, and we re-create containers when starting the daemon. However, with work being in progress on using containerd also for image management, containerd's storage can no longer be considered ephemeral, and using the alternative configuration will limit the ability to (temporarily) start dockerd manually for debugging, i.e.; ```bash systemctr stop containerd docker dockerd --debug ``` When using containerd for image storage, the above will now start a containerd instance with a different storage location as the one that was running as (systemd) service, and does not contain the images and snapshots that are expected. This patch changes the managed containerd configuration to use most of containerd's default settings, with the exception of the CRI plugin being disabled by default on the managed instance (which can be enabled using the `--cri-containerd` flag). The daemon will still detect if an instance of containerd is already running, so that in situations where the `docker` service was stopped, but the `containerd` service is still running, the already running `containerd` service to be used (assuming it's using the default location). To be discussed ------------------------- This patch currently does not contain any migration code, so no content is migrated from the "old" location to the new; as most (all?) data we add to containerd is ephemeral (except for manifests we store?) we may not have to do any migration, but we should look if anything is needed. Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
force-pushed
the
containerd_defaults
branch
from
056f405 to
3ad1e71
Compare
3 participants
When starting a managed containerd instance, we currently configure the instance
to use alternative runtime and storage locations, and alternative paths for the
socket (for Windows, we used the same named pipes).
The reason for this was that we didn't want to conflict with an already running
containerd service when manually starting dockerd. As we currently only use
containerd as runtime (but not for image management), this works well, as all
(most) information in containerd is considered ephemeral, and we re-create
containers when starting the daemon.
However, with work being in progress on using containerd also for image management,
containerd's storage can no longer be considered ephemeral, and using the
alternative configuration will limit the ability to (temporarily) start
dockerd manually for debugging, i.e.;
When using containerd for image storage, the above will now start a containerd
instance with a different storage location as the one that was running as
(systemd) service, and does not contain the images and snapshots that are
expected.
This patch changes the managed containerd configuration to use most of containerd's
default settings, with the exception of the CRI plugin being disabled by default
on the managed instance (which can be enabled using the
--cri-containerdflag).The daemon will still detect if an instance of containerd is already running, so
that in situations where the
dockerservice was stopped, but thecontainerdservice is still running, the already running
containerdservice to be used(assuming it's using the default location).
To be discussed
This patch currently does not contain any migration code, so no content is migrated
from the "old" location to the new; as most (all?) data we add to containerd is
ephemeral (except for manifests we store?) we may not have to do any migration,
but we should look if anything is needed.
- Description for the changelog
- A picture of a cute animal (not mandatory but encouraged)