Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Kubernetes v1.24+ container runtime on Fedora CoreOS #767

Open
dghubble opened this issue Mar 12, 2021 · 105 comments
Open

Kubernetes v1.24+ container runtime on Fedora CoreOS #767

dghubble opened this issue Mar 12, 2021 · 105 comments

Comments

@dghubble
Copy link
Member

dghubble commented Mar 12, 2021

Kubernetes intends to drop drop support for docker-shim as a container runtime in v1.22. Currently, Fedora CoreOS 33.20210217.3.0 ships docker 19.03.13. docker-shim remains the most stable, tested, available out-of-the-box runtime, but this will end soon. I'd like some kind of clarity on Fedora CoreOS's intentions, such as shipping a compatible containerd or cri-o. With Kubernetes cutting v1.22 alpha releases (likely pretty soon) in the time frame of Fedora 34, as Kubernetes distros we'll want to start evaluating and conformance testing the selection.

Overall, I'd like to know there is some plan. Ideally a documented one. Flatcar Linux has published their intentions to ship containerd in time and already has a mechanism to test it (docs).

cri-o

It sounds like cri-o can only be installed by downloading an RPM (from where?) directly and rpm-ostree installing it (unverified). dnf and yumdownloader used by an openshift script aren't present. #292 (comment). I have some maturity concerns about that. Is this really the recommended path? For a container optimized distro to not have a better path to getting a container runtime?

Releases are also pinned to Kubernetes versions and seem to lag by quite some time, so I have some velocity concerns (the runtime needs to be fairly stable, we roll forward when Kubernetes does, think hours).

containerd

I haven't seen Fedora CoreOS plans to make this the runtime of choice.

Or is the plan something else?

@dghubble
Copy link
Member Author

dghubble commented Mar 12, 2021

👀 cri-o doesn't list Fedora CoreOS as a supported OS and the only mention of how to hack it in is a year ago from @dustymabe (thx). And then cri-o creates a new need for conntrack on-host and forces you down the path of installing other RPMs which will need strict versioning.

https://github.com/cri-o/cri-o/blob/master/install.md
https://discussion.fedoraproject.org/t/installing-using-cri-o-on-fedora-coreos/15961/5

@lucab
Copy link
Contributor

lucab commented Mar 12, 2021

[cri-o] Releases are also pinned to Kubernetes versions and seem to lag by quite some time

This is the main reason why cri-o is not shipped as part of the base FCOS. The daemon isn't a generic container runtime that can be freely upgraded by the OS, but it is instead interlocked with the higher level application/service (k8s control plane).

This strict interlock is an explicit design, highlighted at https://github.com/cri-o/cri-o. To that extent, for k8s distributions the whole "kubelet plus cri-o" is effectively a single "node runtime" component.

@rhatdan
Copy link

rhatdan commented Mar 12, 2021

@mrunalp @haircommander PTAL

@rhatdan
Copy link

rhatdan commented Mar 12, 2021

@mrunalp @haircommander Why isn't Fedora a supported platform for CRI-O? Is this just an oversite?

@haircommander
Copy link

haircommander commented Mar 12, 2021

fedora is listed https://github.com/cri-o/cri-o/blob/master/install.md#fedora-31-or-later it's just not in the table (which is both out of date and unneeded) wait a minute, it is also in the table. Where are you getting indication cri-o is not supported on fedora @dghubble? Are you looking for Fedora CoreOS specific installation instructions?

@haircommander
Copy link

[cri-o] Releases are also pinned to Kubernetes versions and seem to lag by quite some time

This is the main reason why cri-o is not shipped as part of the base FCOS. The daemon isn't a generic container runtime that can be freely upgraded by the OS, but it is instead interlocked with the higher level application/service (k8s control plane).

This strict interlock is an explicit design, highlighted at https://github.com/cri-o/cri-o. To that extent, for k8s distributions the whole "kubelet plus cri-o" is effectively a single "node runtime" component.

I agree with @lucab here, kubelet and cri-o should be installed together with matching versions. If there's a way we (the cri-o team) can minimize the friction with this in FCOS, I'd love to hear about it.

@LorbusChris
Copy link
Contributor

As I see it, the issue here is more that it's a bit difficult to install the cri-o RPM because it's distributed as a module and rpm-ostree can't handle it.
At least for OKD, making the version of cri-o that is used in the current OKD version available in a standard, non-modular yum repo would help since we could then include it easily (either in the base compose, or as an extension in a local yum repo)
Longer term, rpm-ostree should probably be taught to work with modular repos.

@haircommander
Copy link

how is the kubelet packaged for OKD now? Could the appropriate cri-o version be tossed in that package?

@vrutkovs
Copy link
Member

In OKD we grab kubelet RPM from origin artifacts, copy it to /tmp/rpms, extract to /tmp/working and create a new rpm-ostree commit with this dir overlayed.

Similar steps to fetch CRI-O RPM

@dghubble
Copy link
Member Author

dghubble commented Mar 12, 2021

For comparison, docker+shim (and soon containerd on Flatcar Linux) provide a suitable container runtime that meets Kubernetes CRI minimum needs, out of the box. Kublet is bundled as a container image. Runs. Conformant. We roll forward within days of Kubernetes releases and do need to not wait on changes from the base OS or any package ecosystem.

If we move toward cri-o, in addition to the friction of adopting cri-o (it feels like we'd be the first user outside okd), there is this velocity concern. I appreciate you folks have explicit RPM packages for components. In pratice, we'd have to release new Kubernetes with Flatcar Linux only, and somehow have Fedora CoreOS come weeks later or something. We'd be waiting on this package ecosystem. How strict is the cri-o to k8s versioning really? Is it just about valiation?

@haircommander
Copy link

How strict is the cri-o to k8s versioning really? Is it just about valiation?

in practice, not terribly strict. It's the safest bet, though. the cri, while generally stable, does change. We don't backport new cri changes to older versions of cri-o. We also don't attempt to test any kubelet/cri-o skew. Basically: we make no support claims for anything other than matching versions.

Generally, folks don't have much trouble with having mismatched versions (I've never heard anyone complain about it). But it's theoretically possible

Kublet is bundled as a container image.

out of curiosity, do you run the kubelet inside a container, or do you use the image to package it easily?

@LorbusChris
Copy link
Contributor

@vrutkovs @haircommander it looks to me as though we are running the kubelet through the hyperkube binary (see https://github.com/openshift/installer/blob/master/data/data/bootstrap/systemd/units/kubelet.service.template#L15-L16),
which is extracted from the payload and written to disk during install (lives in https://github.com/openshift/kubernetes/blob/master/openshift-hack/images/hyperkube/Dockerfile.rhel).
I suppose crio could be distributed the same way, that is not as an RPM, but as a container.

@vrutkovs
Copy link
Member

that is not as an RPM, but as a container.

Yes, and we had this option in 3.x days. AFAIK some distros (Rancher) do that too - but node SIG doesn't officially support running kubelet (and container engine) in container, as it complicates volumes.

Perhaps we should be extracting binaries to /usr/local/bin?

@dghubble
Copy link
Member Author

dghubble commented Mar 12, 2021

If we're just sideloading cri-o on our own with a "works on OKD with our RPMs" promise, as helpful as that is, it reduces the value prop for FCOS a bit. Could we at least have some "official" flow that guarantees cri-o can be installed successfully on FCOS? Ideally in FCOS that'd be an Ignition mechanism, but Dusty's script still seems to be the best approach that installs it currently. And some comittment to cri-o being a supported case on FCOS, beyond a question in the forums?

@haircommander Kubelet in a container with podman, like other on-host services (e.g. etcd).
@LorbusChris hyperkube was deprecated upstream back in k8s v1.18, so I'm guessing that's something custom openshift is doing

With v1.22, container runtime experience might become a differentiator for users picking from base OSes. I want both to be strong choices and don't weigh in on my users choice.

@LorbusChris
Copy link
Contributor

@dghubble coreos/rpm-ostree#1435 would probably be the cleanest solution to this then

@haircommander
Copy link

I agree @LorbusChris , I think that's the best not-hacky way to guarantee cri-o can be installed (and kubelet can be installed with a corresponding version). we could even couple a kubernetes module with kubelet, cri-o and crictl

@dghubble
Copy link
Member Author

This is the main reason why cri-o is not shipped as part of the base FCOS. The daemon isn't a generic container runtime that can be freely upgraded by the OS, but it is instead interlocked with the higher level application/service (k8s control plane).

How about Fedora CoreOS shipping containerd then, as the general container runtime? Which would give a window of compatibility @lucab

@haircommander
Copy link

This is the main reason why cri-o is not shipped as part of the base FCOS. The daemon isn't a generic container runtime that can be freely upgraded by the OS, but it is instead interlocked with the higher level application/service (k8s control plane).

How about Fedora CoreOS shipping containerd then, as the general container runtime? Which would give a window of compatibility @lucab

What reasons are there for shipping a general container runtime? If the modules thing is figured out, and cri-o can be installed with kubernetes seamlessly, I don't see a need for containerd

@dghubble
Copy link
Member Author

Some of the original value behind Container Linux being packageless were shipping a minimal OS suitable for cluster uses cases (i.e. container runtime is "new enough"). Adding RPMs is more a step toward traditional approaches and slower cadence. What happens when Kubernetes has a release, but cri-o doesn't have an RPM yet if they're in lock-step? For example, how would we test Kubernetes v1.21-beta.1 right now? We'd need to release without Fedora CoreOS, and I can see users gravitating toward Flatcar/containerd if this just isn't even a factor there.

To be clear, I don't care which container runtime is chosen. I have no horse in this race (thank you CRI). Just that it work well in these cases going forward.

@haircommander
Copy link

haircommander commented Mar 12, 2021

Some of the original value behind Container Linux being packageless were shipping a minimal OS suitable for cluster uses cases (i.e. container runtime is "new enough"). Adding RPMs is more a step toward traditional approaches and slower cadence. What happens when Kubernetes has a release, but cri-o doesn't have an RPM yet if they're in lock-step? For example, how would we test Kubernetes v1.21-beta.1 right now? We'd need to release without Fedora CoreOS, and I can see users gravitating toward Flatcar/containerd if this just isn't even a factor there.

I see this as mostly a syncing of requirements. Up until now, we haven't had a request to test a yet-to-be-released cri-o in FCOS. I see no reason we couldn't ship the module early--assuming we can set expectation about stability before the .0 release. I'm happy to work together to setup cri-o packaging better on FCOS

@vrutkovs
Copy link
Member

CRI-O is also being built upstream in non-module RPMs, rpm-ostree can install those - see crio 1.20

@jlebon
Copy link
Member

jlebon commented Mar 15, 2021

If we're just sideloading cri-o on our own with a "works on OKD with our RPMs" promise, as helpful as that is, it reduces the value prop for FCOS a bit. Could we at least have some "official" flow that guarantees cri-o can be installed successfully on FCOS? Ideally in FCOS that'd be an Ignition mechanism, but Dusty's script still seems to be the best approach that installs it currently.

Yes, this is #681. We definitely need to improve the UX on package layering. (Modularity is something that this sugar will need to consider as well.)

And some comittment to cri-o being a supported case on FCOS, beyond a question in the forums?

Agreed we need to discuss this (IMO, yes this should be supported). Essentially, I think we need to:

  • decide on a version (or range of versions) of k8s we want to support
  • work with the cri-o team to have the matching RPMs for those versions available (either as proper modules in Fedora, or e.g. using the new OS extensions work to ship them in a side yum repo)
  • add CI tests that sanity-checks the supported cri-o versions (at least with Prow, we can do full e2e testing for the version currently targeted by OKD)
  • make sure that the install layer (OKD/Typhoon) knows how to drive rpm-ostree to install the right cri-o version for the target k8s version being installed (e.g. enable a yum repo, then call rpm-ostree install cri-o-1.20) until we do Improve package layering UX #681

I don't think rpm-ostree natively supporting modules is a blocker for all this, but it definitely would make it easier.

@haircommander
Copy link

If we're just sideloading cri-o on our own with a "works on OKD with our RPMs" promise, as helpful as that is, it reduces the value prop for FCOS a bit. Could we at least have some "official" flow that guarantees cri-o can be installed successfully on FCOS? Ideally in FCOS that'd be an Ignition mechanism, but Dusty's script still seems to be the best approach that installs it currently.

Yes, this is #681. We definitely need to improve the UX on package layering. (Modularity is something that this sugar will need to consider as well.)

And some comittment to cri-o being a supported case on FCOS, beyond a question in the forums?

Agreed we need to discuss this (IMO, yes this should be supported). Essentially, I think we need to:

* decide on a version (or range of versions) of k8s we want to support

I think supporting the three releases k8s upstream supports should work

* work with the cri-o team to have the matching RPMs for those versions available (either as proper modules in Fedora, or e.g. using [the new OS extensions work](https://github.com/coreos/rpm-ostree/pull/2439) to ship them in a side yum repo)

I am happy to go forward with either, though my preference is proper module support (it feels more idiomatic for fedora)

* add CI tests that sanity-checks the supported cri-o versions (at least with Prow, we can do full e2e testing for the version currently targeted by OKD)

big +1

make sure that the install layer (OKD/Typhoon) knows how to drive rpm-ostree to install the right cri-o version for the target k8s version being installed (e.g. enable a yum repo, then call rpm-ostree install cri-o-1.20)

I suppose if we go the extensions route, we could use the existing OBS infrastructure for this (enable the OBS repo instead of some special cri-o one)

@jlebon
Copy link
Member

jlebon commented Mar 16, 2021

Related: openshift/os#498

@bgilbert
Copy link
Contributor

What reasons are there for shipping a general container runtime? If the modules thing is figured out, and cri-o can be installed with kubernetes seamlessly, I don't see a need for containerd

Fedora CoreOS is meant to be a general platform for running containers. If there's a container runtime that people want to use, and there are no technical blockers to shipping it, we should probably ship it. We already ship Moby and podman, and would already be shipping cri-o if not for the version-skew issue.

Is there some reason we shouldn't ship containerd?

@lucab
Copy link
Contributor

lucab commented Mar 19, 2021

By the way there is already a containerd package shipped in FCOS, which is getting in as a dependency. We don't cover that explicitly in our CI, so I don't know whether it actually works.

@ingvagabund
Copy link

ingvagabund commented Jan 10, 2022

Hello everyone

I agree that a Kubernetes module would be the sanest approach to deal with multiple versions here. I think @janch32 is the maintainer of the RPM in Fedora today. It's probably best to work with him to get that RPM modularized.

Unfortunately, I am no longer active in the RPM Fedora area. The Kubernetes rpms in Fedora has been lacking maintenance for some time. I recall there was an effort to make Kubernetes modular. However, I was not part of the effort. If anyone is interested in proceeding here and keeping the Kubernetes rpms up2date, I can share the access rights.

@travier
Copy link
Member

travier commented Jan 10, 2022

Commands for 1.22: coreos/fedora-coreos-config#1406

@anthr76
Copy link
Contributor

anthr76 commented Jan 10, 2022

Hello everyone

I agree that a Kubernetes module would be the sanest approach to deal with multiple versions here. I think @janch32 is the maintainer of the RPM in Fedora today. It's probably best to work with him to get that RPM modularized.

Unfortunately, I am no longer active in the RPM Fedora area. The Kubernetes rpms in Fedora has been lacking maintenance for some time. I recall there was an effort to make Kubernetes modular. However, I was not part of the effort. If anyone is interested in proceeding here and keeping the Kubernetes rpms up2date, I can share the access rights.

I have not worked directley with Fedora RPMs but familiar of the process this is something I would be interested in. I'm on matrix if you wanted to speak directley @anthr76:mozilla.org

@buckaroogeek
Copy link

I have the time, interest, and (some) skills to also contribute where I can add value.

Brad

@haircommander
Copy link

So it sounds like our eventual ideal situation is having modular go, cri-o and kubernetes. We have modular cri-o, so ideally someone could add and maintain go and kubernetes. Do either of those tasks interest either of you @buckaroogeek @anthr76 ?

@buckaroogeek
Copy link

Sure I, for one, can give it a go.

:)

Actually, yes I am very interested in helping. Reviewing the package maintainer web pages now. And will follow through on the needed steps. I might also suggest helm as that seems to also be lagging in packaging support. It would seem that getting some solid traction around go and a go module would be a first step? After getting the package maintainers introductions done.

@dustymabe
Copy link
Member

@haircommander
So it sounds like our eventual ideal situation is having modular go, cri-o and kubernetes.

It looks like the golang maintainers started a discussion about golang and different versions recently on Fedora Devel. It looks like the consensus there was to use golang compat packages (not a module) if they wanted to support different versions in Fedora. Which IIUC should be fine for what we need.

I think the status is:

@buckaroogeek @anthr76 - does that sound good?

@buckaroogeek
Copy link

@dustymabe - Yes, it does for me.

@dghubble
Copy link
Member Author

These efforts sound like the right direction to getting cri-o to be a better option on Fedora CoreOS. However, I'm planning to migrate Typhoon users to containerd on Fedora CoreOS. I don't want to distract from this issue's focus (getting one or more first class container runtimes on FCOS), but for those interested, I outlined why here.

@Conan-Kudo
Copy link

I can help with the non-modular kubernetes and cri-o packages that are required to be present alongside modular ones.

@ingvagabund
Copy link

ingvagabund commented Jan 12, 2022

@buckaroogeek @anthr76 feel free to share you fedora usernames so I can add you as committers to the kubernetes project. Checking the previous commits might give you some hints on how to update the kubernetes to the next version. I have not installed the kubernetes rpms for ages so it might be challenging at the beginning to make it work. Though learning from mistakes will eventually yield the right results.

@buckaroogeek
Copy link

buckaroogeek commented Jan 12, 2022

@ingvagabund - buckaroogeek is the name I use in FAS.

Thanks for the tips and assist.

@ingvagabund
Copy link

When adding you as a committer, I am getting This user must be in one of the following groups to be allowed to be added to this project: packager. I believe you need a sponsor. Not sure what's the process these days to obtain one.

@buckaroogeek
Copy link

@ingvagabund - I do not want to further side track this issue. May I contact you directly? A ticket needs to be filed with the package sponsor pagure instance by a current sponsor.

@anthr76
Copy link
Contributor

anthr76 commented Jan 13, 2022

@buckaroogeek @anthr76 feel free to share you fedora usernames so I can add you as committers to the kubernetes project.

My fas is anthr76

I can be reached on matrix as @anthr76:mozilla.org

Thanks!

@ingvagabund
Copy link

I do not want to further side track this issue. May I contact you directly?

@buckaroogeek @anthr76 what channel do you prefer? IRC, email, ...?

@anthr76
Copy link
Contributor

anthr76 commented Jan 13, 2022

I do not want to further side track this issue. May I contact you directly?

@buckaroogeek @anthr76 what channel do you prefer? IRC, email, ...?

I'm on matrix as @anthr76:mozilla.org I'm in #fedora-coreos and #fedora-golang which is also bridged with IRC

@buckaroogeek
Copy link

buckaroogeek commented Jan 13, 2022 via email

@Conan-Kudo
Copy link

@ingvagabund @anthr76 Please file a request for sponsoring @anthr76 through to co-maintain kubernetes here: https://pagure.io/packager-sponsors

@dghubble dghubble changed the title Kubernetes v1.22+ container runtime on Fedora CoreOS Kubernetes v1.24+ container runtime on Fedora CoreOS Jan 20, 2022
@cgwalters
Copy link
Member

I think this one is going to intersect with https://github.com/coreos/enhancements/blob/main/os/coreos-layering.md for many people.

jlebon added a commit to jlebon/fedora-coreos-config that referenced this issue Mar 22, 2022
This is already in the OS as a dependency of moby-engine, but Typhoon is
now also relying on this and likely other people deploying Kubernetes on
top of FCOS.

Unlike cri-o, the versioning of containerd wrt CRI is less tight, which
makes baking it into the host easier.

Things may change here in the future, and it's likely we will recommend
cri-o as an alternative runtime for k8s eventually. But for now, let's
at least be more explicit that we're shipping containerd.

For more information, see:
coreos/fedora-coreos-tracker#767
poseidon/typhoon#899 (comment)
jlebon added a commit to jlebon/fedora-coreos-config that referenced this issue Mar 22, 2022
This is already in the OS as a dependency of moby-engine, but Typhoon is
now also relying on this and likely other people deploying Kubernetes on
top of FCOS.

Unlike cri-o, the versioning of containerd wrt CRI is less tight, which
makes baking it into the host easier.

Things may change here in the future, and it's likely we will recommend
cri-o as an alternative runtime for k8s eventually. But for now, let's
at least be more explicit that we're shipping containerd.

For more information, see:
coreos/fedora-coreos-tracker#767
poseidon/typhoon#899 (comment)
coreosbot-releng pushed a commit to coreosbot-releng/fedora-coreos-config that referenced this issue Mar 22, 2022
This is already in the OS as a dependency of moby-engine, but Typhoon is
now also relying on this and likely other people deploying Kubernetes on
top of FCOS.

Unlike cri-o, the versioning of containerd wrt CRI is less tight, which
makes baking it into the host easier.

Things may change here in the future, and it's likely we will recommend
cri-o as an alternative runtime for k8s eventually. But for now, let's
at least be more explicit that we're shipping containerd.

For more information, see:
coreos/fedora-coreos-tracker#767
poseidon/typhoon#899 (comment)
@dustymabe
Copy link
Member

From @jlebon's memory (which is much better than my memory) in the video community meeting today he think's the remaining steps here are:

  • work with the current RPM maintainers (@anthr76 and friends) on how we should recommend our users consume the rpms.
  • develop documentation around the recommendation
  • add a test that exercises the recommendation

@buckaroogeek
Copy link

Please let me know how I can help. At one point, Anthony (@anthr76) and I were considering modules for kubernetes, but the approach taken by the nodejs and haskell maintainers on multiple versions seems to be more approachable. I have been negligent in getting a change request submitted to outline the path forward.

The version of go supported in a given Fedora release would shape the version(s) of kubernetes available from Fedora repositories. For example, F37 has go 1.19.x. Kubernetes 1.25, 1.24, and 1.23 would be available allowing Fedora, including CoreOS, to function as a node for any supported version of Kubernetes and as a workstation hosting kubectl to manage those clusters.

Regardless of the approach, I would like to see (and help produce) good documentation for end users around the installation of vanilla kubernetes on all suitable variants of Fedora.

HuijingHei pushed a commit to HuijingHei/fedora-coreos-config that referenced this issue Oct 10, 2023
This is already in the OS as a dependency of moby-engine, but Typhoon is
now also relying on this and likely other people deploying Kubernetes on
top of FCOS.

Unlike cri-o, the versioning of containerd wrt CRI is less tight, which
makes baking it into the host easier.

Things may change here in the future, and it's likely we will recommend
cri-o as an alternative runtime for k8s eventually. But for now, let's
at least be more explicit that we're shipping containerd.

For more information, see:
coreos/fedora-coreos-tracker#767
poseidon/typhoon#899 (comment)
HuijingHei pushed a commit to HuijingHei/fedora-coreos-config that referenced this issue Oct 10, 2023
This is already in the OS as a dependency of moby-engine, but Typhoon is
now also relying on this and likely other people deploying Kubernetes on
top of FCOS.

Unlike cri-o, the versioning of containerd wrt CRI is less tight, which
makes baking it into the host easier.

Things may change here in the future, and it's likely we will recommend
cri-o as an alternative runtime for k8s eventually. But for now, let's
at least be more explicit that we're shipping containerd.

For more information, see:
coreos/fedora-coreos-tracker#767
poseidon/typhoon#899 (comment)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests