Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Auto import images for containerd image store #10973

Open
wants to merge 20 commits into
base: master
Choose a base branch
from

Conversation

vitorsavian
Copy link
Member

@vitorsavian vitorsavian commented Oct 2, 2024

Proposed Changes

  • ADR
  • Auto import images form .txt files and tar files

Types of Changes

  • New Feature

Verification

  • run a k3s server
k3s server
  • create the images folder
mkdir /var/lib/rancher/k3s/agent/images
  • create a .txt file and add a docker.io image path to the .txt file
docker.io/library/mysql:latest
  • move the file to /var/lib/rancher/k3s/agent/images
cp example.txt /var/lib/rancher/k3s/agent/images
  • then see if the file was imported in the containerd image store
k3s ctr images list | grep "mysql"
  • you can also change the file inside var/lib/rancher/k3s/agent/images
nano /var/lib/rancher/k3s/agent/images/example.txt
  • then you can add
docker.io/library/redis:latest
  • the controller will see the change and then import the redis image
k3s ctr images list | grep "redis"

Testing

Linked Issues

User-Facing Change

Users can now auto import images to containerd by just throwing the image in the agent/images folder while k3s is running

Further Comments

@vitorsavian vitorsavian requested a review from a team as a code owner October 2, 2024 15:46
Copy link
Member

@brandond brandond left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Users can now add images in the embedded registry auto import folder while k3s is running

To avoid confusion, remove any references to importing things into the embedded registry - the embedded registry does not have a discrete image store to import into. We import images into the containerd image store, and images in the containerd image store can be used by Kubernetes pods without needing to be pulled from a remote registry, and they can also be shared between nodes by the embedded registry.

docs/adrs/add-auto-import-embedded-registry.md Outdated Show resolved Hide resolved
docs/adrs/add-auto-import-embedded-registry.md Outdated Show resolved Hide resolved
Copy link

codecov bot commented Oct 10, 2024

Codecov Report

Attention: Patch coverage is 45.20548% with 120 lines in your changes missing coverage. Please review.

Project coverage is 45.37%. Comparing base (4ec2617) to head (e5e2332).

Files with missing lines Patch % Lines
pkg/agent/containerd/watcher.go 46.63% 79 Missing and 24 partials ⚠️
pkg/agent/containerd/containerd.go 34.61% 11 Missing and 6 partials ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##           master   #10973      +/-   ##
==========================================
- Coverage   46.98%   45.37%   -1.61%     
==========================================
  Files         179      180       +1     
  Lines       18610    18812     +202     
==========================================
- Hits         8743     8536     -207     
- Misses       8505     8972     +467     
+ Partials     1362     1304      -58     
Flag Coverage Δ
e2etests 39.67% <45.20%> (-1.74%) ⬇️
inttests 34.63% <19.17%> (-0.13%) ⬇️
unittests 13.67% <0.00%> (-0.15%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@vitorsavian vitorsavian force-pushed the auto-import-embedded-registry branch from 88b30cb to d605c59 Compare October 10, 2024 20:34
pkg/agent/containerd/containerd.go Outdated Show resolved Hide resolved
pkg/agent/containerd/containerd.go Outdated Show resolved Hide resolved
pkg/agent/containerd/containerd.go Outdated Show resolved Hide resolved
pkg/agent/containerd/containerd.go Outdated Show resolved Hide resolved
pkg/agent/containerd/containerd.go Outdated Show resolved Hide resolved
pkg/agent/containerd/containerd.go Outdated Show resolved Hide resolved
pkg/agent/containerd/containerd.go Outdated Show resolved Hide resolved
pkg/agent/containerd/containerd.go Outdated Show resolved Hide resolved
pkg/agent/containerd/containerd.go Outdated Show resolved Hide resolved
pkg/agent/containerd/containerd.go Outdated Show resolved Hide resolved
@vitorsavian vitorsavian changed the title [ADR][WIP] Auto import images for embedded registry [WIP] Auto import images for embedded registry Oct 18, 2024
@vitorsavian vitorsavian marked this pull request as draft October 18, 2024 14:42
@brandond
Copy link
Member

brandond commented Oct 21, 2024

We probably shouldn't do it in this PR, but it would be nice if whatever we used for watching image file changes was generic, and could be reused by the deploy controller - right now it just re-scans everything once a minute:

// start calls listFiles at regular intervals to trigger application of manifests that have changed on disk.
func (w *watcher) start(ctx context.Context, client kubernetes.Interface) {
w.recorder = pkgutil.BuildControllerEventRecorder(client, ControllerName, metav1.NamespaceSystem)
force := true
for {
if err := w.listFiles(force); err == nil {
force = false
} else {
logrus.Errorf("Failed to process config: %v", err)
}
select {
case <-ctx.Done():
return
case <-time.After(15 * time.Second):
}
}

@vitorsavian vitorsavian force-pushed the auto-import-embedded-registry branch 4 times, most recently from fa7e775 to 10251df Compare October 28, 2024 07:33
@vitorsavian vitorsavian changed the title [WIP] Auto import images for embedded registry [WIP] Auto import images for containerd image store Oct 28, 2024
@vitorsavian vitorsavian force-pushed the auto-import-embedded-registry branch 2 times, most recently from 5218084 to 1893d58 Compare October 29, 2024 15:05
@vitorsavian vitorsavian changed the title [WIP] Auto import images for containerd image store Auto import images for containerd image store Oct 29, 2024
@vitorsavian vitorsavian marked this pull request as ready for review October 29, 2024 16:14
@vitorsavian vitorsavian requested review from brandond and a team October 29, 2024 18:18
@vitorsavian vitorsavian force-pushed the auto-import-embedded-registry branch 4 times, most recently from e9755b6 to c806d29 Compare October 30, 2024 19:27
if os.IsNotExist(err) {
err := os.MkdirAll(cfg.Images, 0744)
if err != nil {
logrus.Errorf("Unable to create agent/images folder in %s: %v", cfg.Images, err)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are we creating this now? Must the folder exist in order to watch it? Is there any other way to handle this?

Copy link
Member

@brandond brandond Oct 30, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What happens if the user makes the images dir a symlink to another path? What happens if the image dir is deleted and recreated while the watcher is going? These are all things that users are going to try at some point.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The behavior after the changes now are that the image watcher will watch the k3s/agent and only work with the events that contains the agent/images, if the image folder is already created, the preloadImages will load the images, so the watcher will not need to load, but if the image folder is created or symlink with a folder with images inside, the watcher will send to the workqueue for the images to be loaded.

If the folder is deleted, fsnotify can auto delete and because we are watching the /k3s/agent, if the user creates the folder again, we will watch it.

pkg/agent/containerd/watcher.go Outdated Show resolved Hide resolved
pkg/agent/containerd/watcher.go Outdated Show resolved Hide resolved
pkg/agent/containerd/watcher.go Outdated Show resolved Hide resolved
pkg/agent/containerd/watcher.go Outdated Show resolved Hide resolved
pkg/agent/containerd/watcher.go Outdated Show resolved Hide resolved
pkg/agent/containerd/watcher.go Outdated Show resolved Hide resolved
pkg/agent/containerd/watcher.go Outdated Show resolved Hide resolved
@vitorsavian vitorsavian force-pushed the auto-import-embedded-registry branch 3 times, most recently from 7f194f4 to 28919f5 Compare November 12, 2024 14:12
Signed-off-by: Vitor Savian <[email protected]>

Watch agent folder and only watch the images folder after is added

Signed-off-by: Vitor Savian <[email protected]>

Add file support and a better handling for populate

Signed-off-by: Vitor Savian <[email protected]>
Signed-off-by: Vitor Savian <[email protected]>
Signed-off-by: Vitor Savian <[email protected]>
Signed-off-by: Vitor Savian <[email protected]>
Signed-off-by: Vitor Savian <[email protected]>

Set local false in the test

Signed-off-by: Vitor Savian <[email protected]>
Signed-off-by: Vitor Savian <[email protected]>
Signed-off-by: Vitor Savian <[email protected]>
Signed-off-by: Vitor Savian <[email protected]>
Signed-off-by: Vitor Savian <[email protected]>
Signed-off-by: Vitor Savian <[email protected]>
@vitorsavian vitorsavian force-pushed the auto-import-embedded-registry branch from c8f01d2 to 98f3c9b Compare December 2, 2024 15:25
Copy link
Member

@brandond brandond left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

minor nit, lgtm otherwise!

pkg/agent/containerd/containerd.go Outdated Show resolved Hide resolved
go.mod Outdated Show resolved Hide resolved
Signed-off-by: Vitor Savian <[email protected]>
@vitorsavian vitorsavian requested review from harsimranmaan, dereknola and a team and removed request for harsimranmaan December 3, 2024 02:45
Copy link
Contributor

@manuelbuil manuelbuil left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for the late review. I'm a bit confused about the use case. My guess is: we have a cluster where we would like only one (or more) node(s) to pull the images for the whole cluster. The rest of the nodes would pull the images from these selected nodes by using the embedded registry mirror. We can't easily do this today because containerd will only pull the images if there is a local pod requiring it. This feature would "force" containerd to pull the image, even if no local pod requires it. Is my understanding correct?


## Context

Since the feature for embedded registry, the users appeared with a question about having to manually import images, specially in edge environments.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why would users have to manually import images? Aren't they automatically pulled by containerd once the pod is scheduled in the node?


Eventually(func(g Gomega) {
cmd := `k3s ctr images list | grep library/redis`
g.Expect(e2e.RunCmdOnNode(cmd, serverNodeNames[0])).Should(ContainSubstring("io.cattle.k3s.pinned=pinned"))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What does the pinned tag mean? That is was manually pulled?

})

It("Restarts normally", func() {
errRestart := e2e.RestartCluster(append(serverNodeNames, agentNodeNames...))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we need to restart the cluster?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants