adds config and switches to manage pull-image for create/run commands

[mikebrow]

addresses issue #625

• first commit adds pull-image-on-create support
• second commit cleans up the usage output
• third commit documents the config command
• fourth commit adds --with-pull option and disable-pull-on-run config

Signed-off-by: Mike Brown brownwm@us.ibm.com

[saschagrunert]

LGTM

[mikebrow]

manual output:

new flag config detail:

mike@mike-VirtualBox:~/go/src/github.com/kubernetes-sigs/cri-tools$ sudo crictl
NAME:
   crictl - client for CRI

USAGE:
   crictl [global options] command [command options] [arguments...]

VERSION:
   1.18.0-54-g17e535c-dirty

COMMANDS:
   attach              Attach to a running container
   create              Create a new container
   exec                Run a command in a running container
   version             Display runtime version information
   images, image, img  List images
   inspect             Display the status of one or more containers
   inspecti            Return the status of one or more images
   imagefsinfo         Return image filesystem info
   inspectp            Display the status of one or more pods
   logs                Fetch the logs of a container
   port-forward        Forward local port to a pod
   ps                  List containers
   pull                Pull an image from a registry
   run                 Run a new container inside a sandbox
   runp                Run a new pod
   rm                  Remove one or more containers
   rmi                 Remove one or more images
   rmp                 Remove one or more pods
   pods                List pods
   start               Start one or more created containers
   info                Display information of the container runtime
   stop                Stop one or more running containers
   stopp               Stop one or more running pods
   update              Update one or more running containers
   config              Get and set crictl options.

The options are as follows:

- runtime-endpoint: Container runtime endpoint
- image-endpoint: Image endpoint
- timeout: Timeout of connecting to server
- debug: Enable debug output
- pull-image-on-create: Enable pulling image on create requests

   stats       List container(s) resource usage statistics
   completion  Output shell completion code
   help, h     Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --config value, -c value            Location of the client config file. If not specified and the default does not exist, the program's directory is searched as well (default: "/etc/crictl.yaml") [$CRI_CONFIG_FILE]
   --debug, -D                         Enable debug mode (default: false)
   --image-endpoint value, -i value    Endpoint of CRI image manager service (default: uses 'runtime-endpoint' setting) [$IMAGE_SERVICE_ENDPOINT]
   --runtime-endpoint value, -r value  Endpoint of CRI container runtime service (default: uses in order the first successful one of [unix:///var/run/dockershim.sock unix:///run/containerd/containerd.sock unix:///run/crio/crio.sock]). Default is now deprecated and the endpoint should be set instead. [$CONTAINER_RUNTIME_ENDPOINT]
   --timeout value, -t value           Timeout of connecting to the server in seconds (e.g. 2s, 20s.). 0 or less is set to default (default: 2s)
   --help, -h                          show help (default: false)
   --version, -v                       print the version (default: false)
mike@mike-VirtualBox:~/go/src/github.com/kubernetes-sigs/cri-tools$ sudo crictl config
NAME:
   crictl config - Get and set crictl options.

The options are as follows:

- runtime-endpoint: Container runtime endpoint
- image-endpoint: Image endpoint
- timeout: Timeout of connecting to server
- debug: Enable debug output
- pull-image-on-create: Enable pulling image on create requests


USAGE:
   crictl config [command options] [<options>]

OPTIONS:
   --get value  show the option value
   --set value  set option (can specify multiple or separate values with commas: opt1=val1,opt2=val2)
   --help, -h   show help (default: false)
   
mike@mike-VirtualBox:~/go/src/github.com/kubernetes-sigs/cri-tools$ sudo crictl config --get pull-image-on-create
false

create pod.. then create container with pull-image-on-create set to false (default)

sudo crictl runp sandbox-config.json
998e9f433de889c1ccecbbcd817860fca3a0e079263f96e9281bdddb98717699

sudo crictl create 998 container-config.json sandbox-config.json
10d0d9487c29411e6a8f60da17f4022de730c37d056122560578670698c722ce

containerd output (note no pull image):
INFO[2020-06-11T11:27:45.687488374-05:00] RunPodsandbox for &PodSandboxMetadata{Name:nginx-sandbox,Uid:hdishd83djaidwnduwk28bcsb,Namespace:default,Attempt:1,} 
time="2020-06-11T11:27:48.637632149-05:00" level=info msg="starting signal loop" namespace=k8s.io path=/run/containerd/io.containerd.runtime.v2.task/k8s.io/998e9f433de889c1ccecbbcd817860fca3a0e079263f96e9281bdddb98717699 pid=22707
INFO[2020-06-11T11:27:48.807688905-05:00] RunPodSandbox for &PodSandboxMetadata{Name:nginx-sandbox,Uid:hdishd83djaidwnduwk28bcsb,Namespace:default,Attempt:1,} returns sandbox id "998e9f433de889c1ccecbbcd817860fca3a0e079263f96e9281bdddb98717699" 
INFO[2020-06-11T11:28:56.281892742-05:00] CreateContainer within sandbox "998" for container &ContainerMetadata{Name:busybox,Attempt:0,} 
INFO[2020-06-11T11:28:56.282487691-05:00] Logging will be disabled due to empty log paths for sandbox ("") or container ("") 
INFO[2020-06-11T11:28:56.631831810-05:00] CreateContainer within sandbox "998" for &ContainerMetadata{Name:busybox,Attempt:0,} returns container id "10d0d9487c29411e6a8f60da17f4022de730c37d056122560578670698c722ce" 

now remove the container... set the flag to true and try again

sudo crictl config --set pull-image-on-create=true
sudo cat /etc/crictl.yaml
runtime-endpoint: unix:///run/containerd/containerd.sock
image-endpoint: ""
timeout: 0
debug: false
pull-image-on-create: true

# end of file

mike@mike-VirtualBox:~/go/src/crictl-test$ sudo crictl ps -a
CONTAINER           IMAGE               CREATED             STATE               NAME                ATTEMPT             POD ID
71d5c9278f97c       busybox:latest      7 weeks ago         Exited              container           0                   cfdd101d9f9f4
mike@mike-VirtualBox:~/go/src/crictl-test$ sudo crictl rm 71d
71d
mike@mike-VirtualBox:~/go/src/crictl-test$ sudo crictl ps -a
CONTAINER           IMAGE               CREATED             STATE               NAME                ATTEMPT             POD ID
mike@mike-VirtualBox:~/go/src/crictl-test$ sudo crictl create 998 container-config.json sandbox-config.json
9d01a71b6982cbbf715cc1457290787d76ee534a29864fffdd66b0cef7912dba

containerd output (note pulls image)
INFO[2020-06-11T11:32:02.302939273-05:00] RemoveContainer for "71d"                    
INFO[2020-06-11T11:32:02.306285167-05:00] RemoveContainer for "71d" returns successfully 
INFO[2020-06-11T11:33:45.776126849-05:00] PullImage "busybox"                          
INFO[2020-06-11T11:33:46.752899672-05:00] ImageUpdate event &ImageUpdate{Name:docker.io/library/busybox:latest,Labels:map[string]string{io.cri-containerd.image: managed,},XXX_unrecognized:[],} 
INFO[2020-06-11T11:33:46.758395467-05:00] ImageUpdate event &ImageUpdate{Name:sha256:1c35c441208254cb7c3844ba95a96485388cef9ccc0646d562c7fc026e04c807,Labels:map[string]string{io.cri-containerd.image: managed,},XXX_unrecognized:[],} 
INFO[2020-06-11T11:33:46.760004500-05:00] ImageUpdate event &ImageUpdate{Name:docker.io/library/busybox:latest,Labels:map[string]string{io.cri-containerd.image: managed,},XXX_unrecognized:[],} 
INFO[2020-06-11T11:33:46.761990660-05:00] ImageUpdate event &ImageUpdate{Name:docker.io/library/busybox@sha256:95cf004f559831017cdf4628aaf1bb30133677be8702a8c5f2994629f637a209,Labels:map[string]string{io.cri-containerd.image: managed,},XXX_unrecognized:[],} 
INFO[2020-06-11T11:33:46.762212193-05:00] PullImage "busybox" returns image reference "sha256:1c35c441208254cb7c3844ba95a96485388cef9ccc0646d562c7fc026e04c807" 
INFO[2020-06-11T11:33:46.763476591-05:00] CreateContainer within sandbox "998" for container &ContainerMetadata{Name:busybox,Attempt:0,} 
INFO[2020-06-11T11:33:46.764753463-05:00] Logging will be disabled due to empty log paths for sandbox ("") or container ("") 
INFO[2020-06-11T11:33:46.785310652-05:00] CreateContainer within sandbox "998" for &ContainerMetadata{Name:busybox,Attempt:0,} returns container id "9d01a71b6982cbbf715cc1457290787d76ee534a29864fffdd66b0cef7912dba" 

[hickeyma]

Looking good @mikebrow for a quick look. Will take a better look tomorrow when I get a chance.

One thing, you might need to update https://github.com/kubernetes-sigs/cri-tools/blob/master/docs/crictl.md with the new flag.

[mikebrow]

One thing, you might need to update https://github.com/kubernetes-sigs/cri-tools/blob/master/docs/crictl.md with the new flag.

I did think that over. IMO this is more applicable for a release note... the usage documents the flag on the main and config help pages:

- pull-image-on-create: Enable pulling image on create requests

The default is (false) the original behavior, that which is expected by kubelet. IMO this is more a release note notice than a feature that should be highlighted in the docs for use in the cli. Note: no-pull is not in the crictl.md document. Would have to be a new section describing pod, container, and image workflow, summarizing pull policy mechanics for kubernetes, the new flag, and the no-pull override that is activate-able when the new flag is set to pull images on create. Which is more a design/admin thing.. possibly open issue for an admin guide?

[mikebrow]

test fail is dupe of #626 will rebase and retest when that merges.

[BenTheElder]

I must be missing something -- why isn't this controlled by the pod's image Pull Policy?

[saschagrunert]

I must be missing something -- why isn't this controlled by the pod's image Pull Policy?

The pull policy is not part of the CRI and only handled by the kubelet internally.

[mikebrow]

This isn't as urgent as I thought.. crictl isn't in the path between kublet and the CRI runtimes.. kublet goes directly to a sock. Not sure where I got the impression otherwise. crictl is used by kubeadm, some k/k tests, some health monitoring in gce...

[saschagrunert]

This isn't as urgent as I thought.. crictl isn't in the path between kublet and the CRI runtimes.. kublet goes directly to a sock. Not sure where I got the impression otherwise. crictl is used by kubeadm, some k/k tests, some health monitoring in gce...

Now I finally got the whole context and the reason of my confusion. Thank you for the clarification. 🙂

[hickeyma]

LGTM NB but still think the flag should be added to https://github.com/kubernetes-sigs/cri-tools/blob/master/docs/crictl.md. It will be added to the config file etc when set so would need to be documented.

[mikebrow]

LGTM NB but still think the flag should be added to https://github.com/kubernetes-sigs/cri-tools/blob/master/docs/crictl.md. It will be added to the config file etc when set so would need to be documented.

:-) and done.. see additional commits.. cheers.

[hickeyma]

Thanks @mikebrow, nice update.

[mikebrow]

@hickeyma @saschagrunert note the new commit adding somewhat significant (non-breaking) changes. Could use updated reviews.

[saschagrunert]

/lgtm

[feiskyer]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: feiskyer, mikebrow

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [feiskyer]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment