Added Annotations to CDI Spec #85
Conversation
|
For Kata we need to pass through the VF into the container, a VF can have different types and with the BDF the runtime can deduce the right handling. An example CDI spec would look like: |
There was a problem hiding this comment.
Thanks @zvonkok. Could you also provide a short description on how these will be used.
Some other points:
- This requires a version bump of the spec. Let us do that now.
- Could we add an example to the readme etc. where this is specified?
|
Refactored the README according to md-lint suggestions. |
|
@kad @klihub @elezar I added validation of annotations PTAL; I have a general question why are we allowing an empty CDI spec to be valid? What is the purpose? # bin/validate /tmp/nvidia.yaml
Building bin/validate...
Validating against JSON schema builtin...
/tmp/nvidia.yaml: validation failed:
[[]: Invalid value: "badfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfadfasdfasdfasdfasdfasfasdfasfsddf": name part must be no more than 63 characters] |
zvonkok
force-pushed
the
annotations
branch
4 times, most recently
from
6b78d1c
to
5080b88
Compare
AFAICT, it is partly for historical reasons. IIRC how it came to be, Renaud's initial code was explicitly allowing for it, so we kept that functionality. My guess is that the orignal idea was to let vendor-specific utilities run at boot-time and generate vendor-specific 'static' Spec files in /etc (maybe by scanning /dev, and/or doing udev enumeration) and allow any empty files to indicate that the utilities did run (maybe using comments to that effect in the generated Spec files) but not trigger errors in the actual cdi Spec-handling packages. But I'm just guessing here... |
elezar
force-pushed
the
annotations
branch
2 times, most recently
from
56ddae8
to
8751388
Compare
There was a problem hiding this comment.
@zvonkok I have reworked this PR so that it can be merged into the current main branch. This includes checks for the minimum version, for example.
I have also reworked the annotation validation to reduce the imported k8s dependencies.
@klihub @bart0sh @kad since I've also updated this PR please take a look now.
|
It would be nice to cover new code with unit tests. |
|
This needs a rebase and conflict resolution. Other than that, I think it looks fine. |
Signed-off-by: Evan Lezar <elezar@nvidia.com>
This change adds an internal validation package for spec annotation validation. This includes code imported from k8s.io/apimachinery/pkg/api and k8s.io/apimachinery/pkg/util to allow for basic validation of the annotations without importing additional dependencies. Signed-off-by: Evan Lezar <elezar@nvidia.com>
This change allows a set of annotations to be specified at a spec level as well as per device defined in the spec. This bumps the spec version to 0.6.0. Note that validation of the contents of the annotations is also included at a schema level. Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com> Signed-off-by: Evan Lezar <elezar@nvidia.com>
Signed-off-by: Evan Lezar <elezar@nvidia.com>
Done. |
| ) | ||
|
|
||
| // ValidateSpecAnnotations checks whether spec annotations are valid. | ||
| func ValidateSpecAnnotations(name string, any interface{}) error { |
There was a problem hiding this comment.
@klihub I believe you had questions / concerns about the validation of the annotations.
| ) | ||
|
|
||
| // ValidateSpecAnnotations checks whether spec annotations are valid. | ||
| func ValidateSpecAnnotations(name string, any interface{}) error { |
There was a problem hiding this comment.
What is the reason for not having the map[string]string type for annotations as in the Spec itself ?
There was a problem hiding this comment.
This function is called from the schema validation, where all we have is an interface{} type. This handles the conversion of this type to a map[string]string. Since this is required for two separate parts of the schema / spec (top-level annotations and device-level annotation), I added this helper here.
There was a problem hiding this comment.
Maybe I can rename this helper to ValidateSpecAnnotationSchema instead.
Antother option is to drop the schema validation entirely which would clean up this PR significantly.
There was a problem hiding this comment.
Yes, it is sort of tempting... Then again, if at all possible it is better to catch Spec errors early (when seen first time by the CDI package) than late (when an injection goes wrong in the runtime). So I guess then some basic annotation verification would be a good idea.
That said, I don't know if these checks are really that helpful in that regard. AFAICT we don't plan to inject any of these annotations to a container and we are doing K8s pod/container annotations verification here. If we don't inject them, some entity somewhere along the runtime-runc/crun/kata path will do some semantic interpretation of the annotated data... which inevitable leaves the door open for delayed post-injection errors.
Since we don't validate by default, I think we can leave it in for the time being. If you're good with it @klihub let's get this merged and I we can bump a new version. |
| // The v0.6.0 spec allows annotations to be specified at a device level | ||
| for _, d := range spec.Devices { | ||
| for range d.Annotations { | ||
| return true |
There was a problem hiding this comment.
Do we need a loop here if we unconditionally return on the first iteration?
There was a problem hiding this comment.
The intent of the loop is to detect whether a v0.6.0 spec is required. This is required if ANY annotions are detected.
We could use:
for _, d := range spec.Devices {
if len(d.Annotations) > 0 {
return true
instead, but I thought the loop was cleaner than the conditional in this case.
There was a problem hiding this comment.
Not for me, but I'm ok with it.
Based on the discussion in #30 some generated devices like VFs need extra meta information to be handled correctly in virtualized environments.