Replacing containerd GRPC API with client

[abhi]

This commit

1. Replaces the usage of containerd GRPC APIs with the containerd client for all operations related to containerd.
2. Updated containerd to v1.0alpha4+
3. Updated runc to v1.0.0

Signed-off-by: Abhinandan Prativadi [email protected]

[Random-Liu]

@abhinandanpb Thanks! Ping me when you are ready, and feel free to tell me if you have any questions. :)

[Random-Liu]

Haven't finished reviewing.
Send out some comments first.

[Random-Liu]

Sandbox{Metadata: metadatas[id]}

[Random-Liu]

Remove the TODO.

[Random-Liu]

Seems better to call this sandbox container.

// Containerd sandbox container

[Random-Liu]

nit: Move "sync" up. Our style is usually:

import (
"sync" // golang libraries

"github.com/containerd/containerd" // Other libraries

"github.com/kubernetes-incubator/cri-containerd/pkg/store" // cri-containerd libraries
)

[Random-Liu]

Remove the TODO.

And // Containerd image reference seems better.

[Random-Liu]

nit:

container, err := c.client.NewContainer(ctx, id, opts...)
if err != nil {
}

[Random-Liu]

There is a problem with the containerd client. If NewContainer fails, no one will cleanup the snapshot.

In our original implementation, we'll remove the snapshot. But in their client, it's not removed.

This is not your problem, will file an issue to them. But could you add a TODO here to track that?

[abhi]

Looks like I removed the TODO i had added earlier. I can fix it in containerd

[Random-Liu]

Cool. Then let's add TODO on our side, and try to fix it in containerd. :)

[Random-Liu]

nit to save one line:

if err := task.Start(ctx); err != nil {
}

[Random-Liu]

You could not Delete a task once it's created, unless you use the new WithProcessKill option containerd/containerd#1301.

We need the orignal code here, and replace it with Delete WithProcessKill after we bump up containerd version.

[abhi]

For this PR to work we anyways need to bump containerd version. I can incorporate the change. WDYT ?

[Random-Liu]

Sure. Let's update containerd version then.

There may be some change in their api and client, you may need to update your PR correspondingly.

[mikebrow]

Delete with kill looks useful
containerd/containerd@d8c075a

[Random-Liu]

nit: s/sandbox:%q/sandbox %q.

[Random-Liu]

nit: Maybe a little bit too picky, but may help with future PRs, :p

import(
"sync" // golang libraries
// empty line
"github.com/containerd/containerd" // other libraries
// empty line
"github.com/kubernetes-incubator/cri-containerd/pkg/store" // CRI containerd libraries
)

And also the same with the other imports.

[abhi]

I use goimports to format. I will skip using that.

[Random-Liu]

Seems not required. Because we've been using c.client.XXX all around, :)
We've made the assumption that once grpc handler runs, client should be ready.

[Random-Liu]

Not finished yet

[Random-Liu]

This is not required. We only need one defer after NewTask to Delete WithProcessKill.

[Random-Liu]

Why move this down here?

[Random-Liu]

s/container.ID()/id.
id seems more straightforward as sandbox id.

[Random-Liu]

nit: unnecessary empty line.

[Random-Liu]

It's fine to use containerd.NewFifos and create fifos in /tmp. However, the problem is that there is no way to pass empty stdin now.

There are 3 options:

1. Option 1: We create fifos ourselves, and pass them to containerd client. (What you are doing).
2. Option 2: Still use containerd.NewIO, but add option to disable stdin.
3. Option 3: Use containerd.NewIO directly, and call task.CloseIO afterwards for containers which don't want stdin.

I feel that option 2 or 3 seems better, because less change is required.

Will move this discussion to your containerd PR.

[Random-Liu]

Another problem with PR. Why using os.Stdin, os.Stdout and os.Stderr.

Should be nil, ioutil.Discard and ioutil.Discard.

[abhi]

This is still possible. The only reason I avoided using NewIO as is -> we need to pass the customer path. The tests were failing because CRI validation checks for logs in /tmp/Podxxxx where containerd by default (NewIO) logs into /tmp/containerd/XXXX.

[Random-Liu]

@abhinandanpb That's not how it works.

Containerd create FIFOs for each container. Currently, we create those fifos and give the path to containerd. In fact, we could use containerd client directly, which creates fifos for us in /tmp/containerd/XXX. We don't really care where the FIFOs are.

We create a Logger for each container, which read log from the FIFO, decorate the log, and write to the CRI log file, which is /var/log/pods/XXX. The test is checking this path, it doesn't care where the FIFOs are.

NewIO accepts streams directly, e.g. for stdout, we just need to open a pipe, pass the writer side to NewIO, pass the reader side to logger.

os.Stdout/os.Stderr/os.Stdin should not be used here.

[Random-Liu]

For localResolve, we still need this.

[Random-Liu]

Just:

opts = append(opts,
  containerd.WithSpec(spec),
  containerd.WithRuntime(defaultRuntime))

[Random-Liu]

Why add a new line before defer? I feel like we should group defer with the resource we want it to release?
Or is there any other convention?

[abhi]

i usally let gofmt/goimports take care of formatting and indentation

[Random-Liu]

@abhinandanpb Weird. In my case, gofmt never add unnecessary new lines for me.

[Random-Liu]

nit: The line is too long, add a new line?

[Random-Liu]

nit:

newContainer, err := c.client.XXXXXXXX
if err != nil {
  return nil, fmt.Errorf("failed to create containerd container: %v", err)
}

newContainer/container seems a bit confusing...Let's use cntr or cContainer or something else here?

[Random-Liu]

nit: The line is too long, add a new line.

[Random-Liu]

original error message seems better.

[Random-Liu]

Should add WithProcessKill.
My original code was not correct.

[Random-Liu]

? unnecessary empty line? There are several empty lines, seem like something wrong with your editor?

if err := task.Kill(ctx, stopSignal); err != nil {
}

[Random-Liu]

if err := task.Kill(ctx, unix.SIGKILL); err != nil {
}

[Random-Liu]

@abhinandanpb That's not how it works.

Containerd create FIFOs for each container. Currently, we create those fifos and give the path to containerd. In fact, we could use containerd client directly, which creates fifos for us in /tmp/containerd/XXX. We don't really care where the FIFOs are.

We create a Logger for each container, which read log from the FIFO, decorate the log, and write to the CRI log file, which is /var/log/pods/XXX. The test is checking this path, it doesn't care where the FIFOs are.

NewIO accepts streams directly, e.g. for stdout, we just need to open a pipe, pass the writer side to NewIO, pass the reader side to logger.

os.Stdout/os.Stderr/os.Stdin should not be used here.

[Random-Liu]

First pass review finished.
Will do the second pass after you reply and address comments.

[Random-Liu]

task will be nil if there is an error, we may want to skip the task.Kill when there is an error, even it's not found error.

[Random-Liu]

And we could get task outside of the if clause, so that we don't need to do it twice.

[Random-Liu]

Skip task.Kill if not found.

[Random-Liu]

New line.

[Random-Liu]

We should add following functions into containerd client.
Image.Config, Image.RootFS, Image.Size etc.

[Random-Liu]

We still need to write repoDigest, repoTag and imageID into containerd image metadata store.

[abhi]

Can you elaborate on this .? This has to be written on the containerd side ?

[Random-Liu]

Currently, our internal image store is maintaining the Image ID -> RepoDigests/RepoTags mapping, which is for the requirement of CRI.

However, when user create a container or pulling a image, they usually give us RepoDigest/RepoTag. So we have to do the RepoDigest/RepoTag -> Image ID (and other Information) conversion, which instead of creating another internal store, we are currently leveraging containerd image metadata store to do that. That's why we should put all RepoDigest/RepoTag into the metadata store.

As for why we also need to put image ID: I was told that containerd will do image gc based on reference, an entry in image metadata store is a reference to the corresponding snapshot and content. Other references are not unique enough to identify an image, e.g. repo tag could be reused by another image; schema 1 image doesn't have a repo digest etc.; image id seems to be the only thing we can use to reference the image and keep it from being garbage collected.

[Random-Liu]

nit: Can we follow this pattern?

That is the containerd/grpc pattern which seems more clean, and we don't need to update unit test everywhere.

[Random-Liu]

s/faile/failed

s/for container/for sandbox container.

[Random-Liu]

s/os.Stdin/new(bytes.Buffer).

And please add TODO to close container stdin if not needed.

[Random-Liu]

Use else?

[Random-Liu]

Actually it's a bit troublesome that we have to load the task again whenever we want to use it. :p

[Random-Liu]

else?

[Random-Liu]

Remove space before :.

Actually, now I prefer not to include id inside error message, unless the caller doesn't know that. Currently, error message is a bit messy. :p We need to gradually clean them up.

[Random-Liu]

Since you've got task here, just call task.Delete(ctx, WithProcessKill).

[Random-Liu]

This function is not that useful now, maybe just embed into StopContainer.

[Random-Liu]

nit: space before :.

[Random-Liu]

We also need to put image ID. :)

[abhi]

Thats already taken care of by the client ? https://github.com/containerd/containerd/blob/master/client.go#L252

[Random-Liu]

@abhinandanpb The client only puts the image reference in.

There are several different image references:

• Image ID: Image config digest.
• Image Pullable Digest: Image manifest digest.
• Image ChainID: Calculated from uncompressed image snapshot.
• Image Name/Tag: Readable image name, e.g docker.io/library/busybox:latest, docker.io/library/nginx:latest etc.

[Random-Liu]

This issue kubernetes/kubernetes#46255, and the OCI image spec document may be useful here. :)

[abhi]

Got it . Thanks for explaining. Is there anyway we could avoid storing these many-to-one reference copies in the store ? I mean any change we can do on the containerd side to resolve the image ? Not in the scope of this PR. But moving forward.

[Random-Liu]

getImageInfo may not be needed, if Image.Size(), Image.RootFS() could provide enough information.

[Random-Liu]

Several final nits. LGTM overall.

[Random-Liu]

nit: remove space before :.

[Random-Liu]

Log this after you get the image id, so that you could log the image id out.

[Random-Liu]

and image id

[Random-Liu]

nit: Return image id as imagedigest.Digest.

[Random-Liu]

Why r here?
Actually, we could get image id before updating repoDigest, repoTag, so that we could update them all together in a single loop.

[abhi]

@Random-Liu updated PR. Thanks for reviewing the changes multiple times :)

[Random-Liu]

@abhinandanpb LGTM, let's wait for the test result.

[Random-Liu]

oci config and imageID.

To make it the same with the return order.

[Random-Liu]

Please move this down after the following if clause.

[abhi]

Done.

[Random-Liu]

LGTM
Will merge after test passes.
@abhinandanpb Thanks a lot! :)

[Random-Liu]

Fixes #86.
Fixes #49.