kata containers enhancement proposal #366
Conversation
|
/assign @joelanford |
|
/assign @mrunalp |
|
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
openshift-ci-robot
added
the
lifecycle/stale
|
Stale issues rot after 30d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle rotten |
openshift-ci-robot
added
lifecycle/rotten
|
Rotten issues close after 30d of inactivity. Reopen the issue by commenting /close |
|
@openshift-bot: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/reopen |
|
@cgwalters: Reopened this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@mrunalp we updated the document and think it is ready to be merged if you agree.
|
|
I'm interested in using this to isolate less trustworthy workloads.
|
| ### Overview | ||
| Kubernetes provides support for RuntimeClasses. RuntimeClass is a feature for selecting the container runtime configuration. The container runtime configuration is used to run a Pod’s containers. | ||
|
|
||
| CRI-O today comes out of the box with a runc as the default runtime. CRI-O also supports RUntimeClasses and using this configuration, it will support a KataContainers runtime as well. |
There was a problem hiding this comment.
nit: s/RUntimeClasses/RuntimeClasses/
| 1. ~200 mb extra, installed in the host, for those who'd be using kata runtime | ||
| 2. Updates / Removal may be more complicated than having the RPMs as part of machine-os-content | ||
|
|
||
| #### Long term: Use RHCOS extensions (qemu-kiwi and dependencies only) |
There was a problem hiding this comment.
This section looks like a copy/paste from #317
Could this be re-written to just link to that enhancement and instead focus this section on what packages would be supplied in the extension for kata containers?
There was a problem hiding this comment.
Please update that section to indicate what we would put in the extension.
Do we want to discuss the reduced qemu package here?
| 1. ~20 mb extra, installed in the host, for those who'd be using kata runtime | ||
| 2. machine-os-content would still carry this until there is a separate machine-os-content- extensions container | ||
|
|
||
| This approach has a dependency on the extensions framework being delivered into Openshift. |
There was a problem hiding this comment.
The RHCOS extensions framework was successfully delivered in 4.6; this statement could be dropped.
|
|
||
| ## Summary | ||
|
|
||
| Kata containers is an open source project developing a container runtime using virtual machines and providing the same look and feel as with vanilla containers. |
There was a problem hiding this comment.
same look and fill as vanilla containers (no with)
There was a problem hiding this comment.
I hope you did not carry over my typo (fill instead of feel)
| ## Summary | ||
|
|
||
| Kata containers is an open source project developing a container runtime using virtual machines and providing the same look and feel as with vanilla containers. | ||
| By leveraging hardware virtualization technologies kata containers provides powerful workload isolation compared to existing container solutions. |
|
|
||
| ## Summary | ||
|
|
||
| Kata containers is an open source project developing a container runtime using virtual machines and providing the same look and feel as with vanilla containers. |
There was a problem hiding this comment.
Try to use consistent capitalization, Kata Containers everywhere (making it clear it's a project name and not some terminology).
|
|
||
| ## Summary | ||
|
|
||
| Kata containers is an open source project developing a container runtime using virtual machines and providing the same look and feel as with vanilla containers. |
There was a problem hiding this comment.
Add link to Kata Containers project for easier review.
| 1. ~200 mb extra, installed in the host, for those who'd be using kata runtime | ||
| 2. Updates / Removal may be more complicated than having the RPMs as part of machine-os-content | ||
|
|
||
| #### Long term: Use RHCOS extensions (qemu-kiwi and dependencies only) |
There was a problem hiding this comment.
Please update that section to indicate what we would put in the extension.
Do we want to discuss the reduced qemu package here?
| - Configure CRI-O to use Kata Runtime on those worker nodes | ||
| - Installation of the runtimeClass on the cluster | ||
| - Updates the Kata runtime | ||
| - Uninstall Kata Runtime and reconfigure CRI-O to not use it. |
There was a problem hiding this comment.
Add a reference to base scheduling metrics?
There was a problem hiding this comment.
@c3d Not sure what you'd like to see. Do you have one for me?
There was a problem hiding this comment.
I would add something like
- Provide usable CPU, memory, disk and network metrics to the scheduler
WDYT?
There was a problem hiding this comment.
@c3d, this is not necessarily the responsibility of Kata Containers, nor necessarily CRI-O or kubelet. I'd argue against adding it, unless we have the full buy-in of the monitoring team to support those.
IMHO, adding this may actually increase the chance to have the addition blocked than anything else.
/cc @zanetworker
There was a problem hiding this comment.
I agree with you both on the responsibilities. That is not my point however, nor is it the point of this section. The section describes the "Goals" of the operator, from the OpenShift perspective. I still believe that these goals should include adding whatever other configuration is needed for the orchestration layer to do its job. That includes metrics, pod overhead computations, and possibly other fine details that I'm sure we have not really covered yet.
What about extending the "Installation of the runtimeClass" bullet as follows:
- Installation of the runtimeClass on the cluster, as well as of the required components for the runtime to be controlled by the orchestration layer.
Come to think of it, this rewording is also necessary to describe the installation of the virtualization components.
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: c3d The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
All review comments are addressed. Gentle reminder for more reviews/acks :-) |
|
@mrunalp ping |
Signed-off-by: Ariel Adam <[email protected]>
fix review findings from Micah Abbot
Fix c3d's review findings
Extend the goal "installation of the runtime" by also taking care of things like pod overhead etc
Signed-off-by: Fabiano Fidêncio <[email protected]>
This commit silences "MD009/no-trailing-spaces Trailing space" markdown lint error. Signed-off-by: Fabiano Fidêncio <[email protected]>
This commit silences "MD024/no-duplicate-heading/no-duplicate-header Multiple headings with the same content" markdown lint error. Signed-off-by: Fabiano Fidêncio <[email protected]>
Signed-off-by: Fabiano Fidêncio <[email protected]>
Signed-off-by: Fabiano Fidêncio <[email protected]>
Signed-off-by: Fabiano Fidêncio <[email protected]>
|
@ariel-adam, can you close this one in favour of #677 ? |
|
Closing this since we have #677 instead |
Providing the enhancement document for the kata containers project to be reviewed.