CRI-Containerd Missing Pieces

[Random-Liu]

cri-containerd already supports basic container/sandbox lifecycle and image management today. However, there are still many missing pieces. List them here with relative proprieties:

Missing Features

• [P0] Privileged support. (Issue: Support Privileged. #29, PR: Support privileged #51)
• [P0] Stop container with image default stop signal. (Issue: Stop container with image default stop signal #61, PR: Send stop signal specified in image config. #83)
• [P1] Container logging. (PR: Add container logging support. #56)
• [P1] ExecSync. ExecSync is very useful for testing, so prioritize it.
• [P1] Pull image authentication. (Issue: Pull Image Authentication #58, PR: Add pull image authentication. #88)
• [P1] Sandbox /etc/resolv.conf. (Issue: Maintain resolv.conf for pod. #28, PR: Generate and maintain resolv.conf for sandbox #50)
• [P1] Sandbox /etc/hosts. (PR: Add sandbox /etc/hosts. #60)
• [P1] Sandbox /dev/shm. (PR: Add sandbox dev shm #67)
• [P1] Device mapping. (PR: Support privileged #51)
• [P1] Set user/username. (PR: add the user id support of runAsUser #146, Add RunAsUser support #168)
• [P1] ExecSync timeout. (PR: Some cleanup after switching to new client. #137)
• [P2] Selinux options/label. (PR: Support selinux options/label #157)
• [P2] Container streaming.
  • Exec (PR: Add container Exec support. #115)
  • Attach
  • Portforward (PR: Add portforward support. #130)
• [P2] Support systemd cgroup. (PR: Add systemd cgroup support. #290)
• [P3] Image list filter.
• [P2] CRI conformance. Stop running container when stopping sandbox, remove container when removing sandbox etc. (PR: Unmount dev shm and cleanup container when stop/remove sandbox #77)
• [P2] OOM Event. Handle containerd event, and set container status exit reason correspondingly. (PR: Handle OOM event. #91)
• [P2] Apparmor. (PR: Adds support for AppArmor #159)
• [P2] Seccomp. (PR: Adds seccomp support #219)
• [P2] Sysctl (PR: Sets sysctls from pod config annotations #119).
• [P2] Other pod sandbox security context (user/selinux etc.). Figure out what this means to sandbox container.
• [P2] Container metrics. (PR: Adding container metrics support #265)
• [P2] Image filesystem metrics. (PR: Add image stats and integration test #257)
• [P2] Container manager. Add container manager to ensure containerd and cri-containerd are in runtime cgroup. (Issue: Add flag to place cri-containerd into a specific cgroup. #181, PR: Place containerd inside cgroup containerd#1443, Adding option to configure cgroup to start cri-containerd #184)
• [P2] Host port. (PR: Add host port support. #154)

Improvements

• [P0] Switch to containerd api. Including change the implementation and update unit test (add mock client etc.). (Issue: Use containerd client. #49)
• [P1] Switch to new containerd client. (PR: Replacing containerd GRPC API with client #113)
• [P1] Refactor metadata store. (PR: Rewrite metadata store #66)
  • Add pure in-memory cache for image management;
  • Add in-memory wrapper for sandbox/container metadata store, because there are several things which don't need to be checkpointed.
  • Reconsider what we should store in container labels.
• [P1] Create permanent network namespace. (Issue: Create permanent network namespace for sandbox. #43, PR: Add permanent netns #54)
• [P2] Add unit test for image. With new containerd client, it's much easier to add unit test for image part. (Issue: Add unit test for image management code. #36)
• [P3] Check image config and top level snapshot existence when list/Inspect image. (Issue: Verify image components are "ready"/available for use containerd#1514, Use containerd image readiness check function to properly recover image during restart. #303)
• [P1] Default sandbox container resource limit. (PR: Set sandbox container resource limit. #92)
• [P3] Add truncindex for image and container id. (PR: Add Truncindex for container, sandbox and image #235)
• [P2] Reliable containerd event handling. Requeue event on error. (Handle containerd event reliably #628)
• [P2] Checkpoint versioning. (Metadata and status are all versioned now)
• [P2] Handle recovery from cri-containerd and containerd restart.

Containerd Missing Features

• [P0] V2 Schema 1 image support. (Issue: Support schema 1 manifest. #35, Support schema 1 image. containerd#851)
• [P1] Image (content/snapshot) garbage collection.
• [P1] Containerd version. Containerd doesn't report semver because of a bug.

[stevvooe]

Containerd doesn't report semver because of a bug.

We just haven't tagged a revision yet. The version field will contain the proper git tag, which will be semantic versioned. If the release is made off an untagged revision, it will be qualified with git commit, per git describe.

In general, I wouldn't recommend pushing down semantic versioning requirements on the runtimes.

[Random-Liu]

We just haven't tagged a revision yet. The version field will contain the proper git tag, which will be semantic versioned.

Yeah, checked the code. That's the "bug" I mean. :)

If the release is made off an untagged revision, it will be qualified with git commit, per git describe.

Hm, I checked Kubelet code, and it seems that we don't actually require it to be a semver. Although semver is better. Will slash the item then.

[mikebrow]

checked off seccomp..

[Random-Liu]

Most important features in this list are done. Move rest of stuff to next release.