[3.7] UPSTREAM: 51634: Revert to using isolated PID namespaces in Docker

[sjenning]

kubernetes/kubernetes#51634

fixes openshift/openshift-ansible#6431

The upstream pick is a revert the shared PID namespacing being on by default. Unfortunately, it made the change for kube 1.8 and later but not 1.7 and therefore it is on by default in Origin 3.7 when using docker 1.13. This causes issues for glusterfs kubernetes/kubernetes#48937

@derekwaynecarr @dustymabe @sdodson

[dustymabe]

kubernetes/kubernetes#51634

This PR had 2 commits in it. I don't know if we need the 2nd one or not??

[sdodson]

I've just realized that OCP 3.7 removed docker-1.13 from the versions that are excluded. Should we add it back in? Also, it's worth noting that once RHEL7 ships docker-1.13 and RHEL AH is updated there will be no way for RHEL AH users to downgrade to 1.12.

[sjenning]

This PR had 2 commits in it. I don't know if we need the 2nd one or not??

All the rest of the changes where to test/e2e_node in kube which we don't vendor. Thanks for making sure though 👍

[sjenning]

I've just realized that OCP 3.7 removed docker-1.13 from the versions that are excluded. Should we add it back in?

IMO, no. Adding it back will just cause Fedora not to work with openshift-ansible right? Downgrading is not a viable option in my mind. 1.13 is coming to EL eventually. Might as well get some soak time to flush out issues like this one.

[sdodson]

IMO, no. Adding it back will just cause Fedora not to work with openshift-ansible right? Downgrading is not a viable option in my mind. 1.13 is coming to EL eventually. Might as well get some soak time to flush out issues like this one.

Right, adding it to origin 3.7 would break openshift-ansible on Fedora. I think getting Origin 3.7 soak time with docker-1.13 on Fedora is great, however we can differentiate between Origin and supported versions under OCP. If we're not going to block docker-1.13 in OCP 3.7 then we're saying it will be fully supported, which would be my preference, but I don't know if that's our official stance.

I can't tie all of openshift-ansible's problems back to enforcing maximum docker versions but it's certainly led to some of the most complicated code in the project.

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sjenning
We suggest the following additional approver: derekwaynecarr

Assign the PR to them by writing /assign @derekwaynecarr in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

• pkg/cmd/OWNERS
• vendor/k8s.io/kubernetes/cmd/kubelet/OWNERS

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[sjenning]

/retest

[sjenning]

/retest

@derekwaynecarr PTA

[openshift-ci-robot]

@sjenning: The following test failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
ci/openshift-jenkins/end_to_end	5b7bc10	link	/test end_to_end

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[cgwalters]

and RHEL AH is updated there will be no way for RHEL AH users to downgrade to 1.12.

FWIW from the last release:

To keep the universe in balance, we also lifted a feature out of
experimental; the ex override command is now just override.

So that's not true. Slowly but surely going from "you can't do that" to "you can but it may not be documented well" heading towards "you can do it and it's awesome" 😉

[derekwaynecarr]

LGTM