-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support Edit Container Mount for kata/runtime-rs using direct volume in K8S/CSI scenario #162
Comments
I need to read this carefully and check if this would also have some implications for the KEP: kubernetes/enhancements#4113 |
@zvonkok Thx for your reply. I am looking forward to discussing this with you. |
cc @pohly |
There's also kubernetes/enhancements#2893 which didn't get merged. |
Thx @pohly |
I don't know (or remember). |
For clarification @Apokleos. Is the use of the device name to encode data a requirement, or is this just how you are implementing this in our current setup? One issue with the code implemented above is that an unresolvable device is not treated as an error. This breaks assumptions around such devices. How would you propose missing / incorrect device specifications be passed to the user if this is not considered an error? |
Thx @elezar for your feedback.
In this scenario, the Mount HostPath will be used as the device name. However, the HostPath may contain special characters, which are not allowed in the CDI naming specification. To comply with the CDI device name specification, the HostPath was encrypted using base64, even though this may result in special characters after encryption. This was done to maintain consistency with the encryption method used for volume paths in kata direct volumes.
Yes, this is indeed a problem. However, I have a different understanding of I propose to split
And the
|
Hi @elezar I'm interested in hearing your thoughts on the updated proposal. Thx. |
Hi @klihub, Could I hear your suggestions for this proposal? Thx |
My biggest problem with this, in its current form, is that we end up treating unresolvable CDI devices during injection as something to be merely logged instead of flagged as a fatal error. I don't think that is something we'd find an acceptable compromise. Looking at your (very nice and detailed) description, I gather that the basic problem is roughly
And this proposal (and I guess your earlier hack attempt to the NRI device injector sample plugin to modify mount options) tries to come up with a way to 'patch up' the incorrectly/insufficiently created mount for the container after the fact. @Apokleos Is this summary correct ? |
Thank you @klihub for your valuable time. I appreciate your understanding of my proposal.
@elezar has the same concern about the unresolvable CDI devices in this proposal, and I updated the proposal
Yes, you're right. I try to do "patch up" the Mount's type with NRI annotation when I do some tests for kata/direct-volume with NRI.
|
Add support Edit Container Mount for kata/runtime-rs using direct volume in K8S/CSI scenario. Fixes: cncf-tags#162 Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
Add support Edit Container Mount for kata/runtime-rs using direct volume in K8S/CSI scenario. Fixes: cncf-tags#162 Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
…t volume Try to use CDI to 'patch up' the Container Mount for kata/runtime-rs using direct volume in K8S/CSI scenario. related issue and PR as below: CDI issue: cncf-tags/container-device-interface#162 CDI Mount PR: cncf-tags/container-device-interface#169 Fixes: containerd#9203 Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
Thx @elezar @klihub I appreciate your time to discuss this proposal with me. I have revised it based on your concerns and submitted a PR to clarify it further. |
@Apokleos, @marquiz and I are working on this KEP: kubernetes/enhancements#4113, especially for the Kata use-case. |
…t volume Try to use CDI to 'patch up' the Container Mount for kata/runtime-rs using direct volume in K8S/CSI scenario. related issue and PR as below: CDI issue: cncf-tags/container-device-interface#162 CDI Mount PR: cncf-tags/container-device-interface#169 Fixes: containerd#9203 Signed-off-by: alex.lyn <alex.lyn@antgroup.com> Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
Add support Edit Container Mount for kata/runtime-rs using direct volume in K8S/CSI scenario. The added vendor/class: "kata.direct.volume/direct-volume" Fixes: cncf-tags#162 Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
…t volume Try to use CDI to 'patch up' the Container Mount for kata/runtime-rs using direct volume in K8S/CSI scenario. related issue and PR as below: CDI issue: cncf-tags/container-device-interface#162 CDI Mount PR: cncf-tags/container-device-interface#169 Fixes: containerd#9203 Signed-off-by: alex.lyn <alex.lyn@antgroup.com> Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
…t volume Try to use CDI to 'patch up' the Container Mount for kata/runtime-rs using direct volume in K8S/CSI scenario. related issue and PR as below: CDI issue: cncf-tags/container-device-interface#162 CDI Mount PR: cncf-tags/container-device-interface#169 Fixes: containerd#9203 Signed-off-by: alex.lyn <alex.lyn@antgroup.com> Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
Add support Edit Container Mount for kata/runtime-rs using direct volume in K8S/CSI scenario. The added vendor/class: "kata.direct.volume/direct-volume" Fixes: cncf-tags#162 Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
…t volume Try to use CDI to 'patch up' the Container Mount for kata/runtime-rs using direct volume in K8S/CSI scenario. related issue and PR as below: CDI issue: cncf-tags/container-device-interface#162 CDI Mount PR: cncf-tags/container-device-interface#169 Fixes: containerd#9203 Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
Hi @zvonkok Thx for your suggestion for the KEP-4113. I have added some comments about my concern. |
This issue is stale because it has been open 90 days with no activity. This issue will be closed in 30 days unless new comments are made or the stale label is removed. |
In the Kubernetes/CSI scenario, users need to use CSI to provide storage volumes to regular containers. After CSI completes the relevant operations, kubelet provides a HostPath and ContainerPath, but does not include a Mount Type. In other words, the Container Mount information that Containerd can retrieve through CRI does not include a type. When converting to the OCI Spec, the Mount type is set to "bind" by default.
Unfortunately,this solution does not work properly in the Kata Containers 3.0/runtime-rs with Direct Volume scenario.
When using a direct volume, Kata Pod needs to determine the type of DirectVolume based on Mount.Type after obtaining mount information. Then, it needs to choose the appropriate way to insert the backend device into the Guest, such as directvol, vfiovol, or spdkvol. Finally, the mount operation is completed in the Guest.
Kata3.0/runtime-rs using direct volume with containerd ctr, more details can be seen how-to-run-kata-containers-with-kinds-of-Block-Volumes
An example as below:
However, there are certain differences between ordinary containers and Kata Containers when using CSI to access storage. The Mount Type in the OCI Spec provided by K8S/Containerd is by default the bind type. Ordinary containers will use the bind type by default, but Kata/DirectVolume requires a specific type, such as "directvol" (or other types like vfiovol or spdkvol). Therefore, in the K8S/CSI scenario, Kata Containers wants the Mount in its OCI Spec to contain a specific volume type instead of the bind type when creating a container that uses a Direct Volume. In other words, it is necessary to change the default bind type to the specific volume type at the right time, and then pass it to the Kata runtime-rs.
Although CDI can edit the OCI Spec of Container third-party devices in K8S/DevicePlugin using Container Annotation/CDIDevice information, it can also be extended to CSI to increase the editing ability of Container Mount.
In the K8S/CSI/Kata-runtime-rs scenario using Direct Volume, we hope that CDI can automatically edit a Mount in the OCI Spec according to the Direct Volume type, that is, to change the original "bind" to the "directvol" of the corresponding volume_type in the mountInfo.json instance.
According to the idea, I have already made the initial design and implementation of it, the scheme is as follows.
(1) Do kata-ctl direct-volume add
DoAddDirectVolume(mount.HostPath)
(2) Do cdi config generation in /var/run/cdi/xxx.json
DoGenerateCDIConfig(mount.HostPath, mount.ContainerPath)
Set the special vend/class for direct volume to
direct.volume/direct-volume
.(1) Add the parameter CDIMounts []*runtime.Mount to the WithCDI function.
(2) Use the base64-encoded string of Mount.HostPath as the deviceName to build a mount device that conforms to the CDI specification.
The cdi config for Mount as below:
And the draft code as below:
(1) To better support using the base64-URLencoded string of the Mount HostPath as the DeviceName, it is necessary to modify the CDI DeviceName naming check rules to support special symbol
=
.(2) As the runtime.Mount object in containerd does not have any additional information to help accurately filter out which HostPath is associated with the direct volume, all Mount.Hostpath objects are allowed to be used to construct DeviceNames and passed to CDI. Then it uses DeviceNames to match cdi Cache database devices. However, the final result is that there is only one Mount that needs to be modified for the direct volume. Therefore, the CDI InjectDevice function needs to be modified to not return an error if there is an unresolved device name.
The text was updated successfully, but these errors were encountered: