k3s/pkg/agent/containerd/config_linux.go

127 lines
4.3 KiB
Go
Raw Normal View History

//go:build linux
// +build linux
package containerd
import (
"context"
"os"
"github.com/containerd/containerd"
Update to v1.26.0-k3s1 (#6370) * Update to v1.26.0-alpha.2 Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * go generate Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * Default CURRENT_VERSION to VERSION_TAG for alpha versions Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * remove containerd package Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * Update k8s to v1.26.0-rc.0-k3s1 cri-tools cri-dockerd and cadvisor Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * replace cri-api reference to the new api Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * go mod tidy Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * Fix version script to allow rc and alphas Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * Fix version script to allow rc and alphas Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * Fix version script to allow rc and alphas Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * Update to Kubernetes 1.26.0-rc.1 Signed-off-by: Brad Davidson <brad.davidson@rancher.com> * Undo helm-controller pin Signed-off-by: Brad Davidson <brad.davidson@rancher.com> * Bump containerd to -k3s2 for stargz fix Signed-off-by: Brad Davidson <brad.davidson@rancher.com> * DevicePlugins featuregate is locked to on Signed-off-by: Brad Davidson <brad.davidson@rancher.com> * Bump kine for DeleteRange fix Signed-off-by: Brad Davidson <brad.davidson@rancher.com> * Update to v1.26.0-k3s1 Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * go mod tidy Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * Bring back snapshotter checks and update golang to 1.19.4 Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * fix windows containerd snapshotter checks Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> Signed-off-by: Brad Davidson <brad.davidson@rancher.com> Co-authored-by: Brad Davidson <brad.davidson@rancher.com>
2022-12-09 23:42:15 +00:00
overlayutils "github.com/containerd/containerd/snapshots/overlay/overlayutils"
fuseoverlayfs "github.com/containerd/fuse-overlayfs-snapshotter"
stargz "github.com/containerd/stargz-snapshotter/service"
"github.com/docker/docker/pkg/parsers/kernel"
"github.com/k3s-io/k3s/pkg/agent/templates"
util2 "github.com/k3s-io/k3s/pkg/agent/util"
"github.com/k3s-io/k3s/pkg/cgroups"
"github.com/k3s-io/k3s/pkg/daemons/config"
"github.com/k3s-io/k3s/pkg/version"
"github.com/opencontainers/runc/libcontainer/userns"
"github.com/pkg/errors"
"github.com/rancher/wharfie/pkg/registries"
"github.com/sirupsen/logrus"
"golang.org/x/sys/unix"
"k8s.io/kubernetes/pkg/kubelet/util"
)
const socketPrefix = "unix://"
func getContainerdArgs(cfg *config.Node) []string {
args := []string{
"containerd",
"-c", cfg.Containerd.Config,
"-a", cfg.Containerd.Address,
"--state", cfg.Containerd.State,
"--root", cfg.Containerd.Root,
}
return args
}
// setupContainerdConfig generates the containerd.toml, using a template combined with various
// runtime configurations and registry mirror settings provided by the administrator.
func setupContainerdConfig(ctx context.Context, cfg *config.Node) error {
privRegistries, err := registries.GetPrivateRegistries(cfg.AgentConfig.PrivateRegistry)
if err != nil {
return err
}
isRunningInUserNS := userns.RunningInUserNS()
_, _, controllers := cgroups.CheckCgroups()
// "/sys/fs/cgroup" is namespaced
cgroupfsWritable := unix.Access("/sys/fs/cgroup", unix.W_OK) == nil
disableCgroup := isRunningInUserNS && (!controllers["cpu"] || !controllers["pids"] || !cgroupfsWritable)
if disableCgroup {
logrus.Warn("cgroup v2 controllers are not delegated for rootless. Disabling cgroup.")
} else {
// note: this mutatation of the passed agent.Config is later used to set the
// kubelet's cgroup-driver flag. This may merit moving to somewhere else in order
// to avoid mutating the configuration while setting up containerd.
cfg.AgentConfig.Systemd = !isRunningInUserNS && controllers["cpuset"] && os.Getenv("INVOCATION_ID") != ""
}
extraRuntimes := runtimeConfigs{}
findNvidiaContainerRuntimes(os.DirFS(string(os.PathSeparator)), extraRuntimes)
findWasiRuntimes(os.DirFS(string(os.PathSeparator)), extraRuntimes)
var containerdTemplate string
containerdConfig := templates.ContainerdConfig{
NodeConfig: cfg,
DisableCgroup: disableCgroup,
SystemdCgroup: cfg.AgentConfig.Systemd,
IsRunningInUserNS: isRunningInUserNS,
EnableUnprivileged: kernel.CheckKernelVersion(4, 11, 0),
PrivateRegistryConfig: privRegistries.Registry,
ExtraRuntimes: extraRuntimes,
Program: version.Program,
}
selEnabled, selConfigured, err := selinuxStatus()
if err != nil {
return errors.Wrap(err, "failed to detect selinux")
}
switch {
case !cfg.SELinux && selEnabled:
logrus.Warn("SELinux is enabled on this host, but " + version.Program + " has not been started with --selinux - containerd SELinux support is disabled")
case cfg.SELinux && !selConfigured:
logrus.Warnf("SELinux is enabled for "+version.Program+" but process is not running in context '%s', "+version.Program+"-selinux policy may need to be applied", SELinuxContextType)
}
containerdTemplateBytes, err := os.ReadFile(cfg.Containerd.Template)
if err == nil {
logrus.Infof("Using containerd template at %s", cfg.Containerd.Template)
containerdTemplate = string(containerdTemplateBytes)
} else if os.IsNotExist(err) {
containerdTemplate = templates.ContainerdConfigTemplate
} else {
return err
}
parsedTemplate, err := templates.ParseTemplateFromConfig(containerdTemplate, containerdConfig)
if err != nil {
return err
}
return util2.WriteFile(cfg.Containerd.Config, parsedTemplate)
}
func Client(address string) (*containerd.Client, error) {
addr, _, err := util.GetAddressAndDialer(socketPrefix + address)
if err != nil {
return nil, err
}
return containerd.New(addr)
}
Update to v1.26.0-k3s1 (#6370) * Update to v1.26.0-alpha.2 Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * go generate Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * Default CURRENT_VERSION to VERSION_TAG for alpha versions Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * remove containerd package Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * Update k8s to v1.26.0-rc.0-k3s1 cri-tools cri-dockerd and cadvisor Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * replace cri-api reference to the new api Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * go mod tidy Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * Fix version script to allow rc and alphas Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * Fix version script to allow rc and alphas Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * Fix version script to allow rc and alphas Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * Update to Kubernetes 1.26.0-rc.1 Signed-off-by: Brad Davidson <brad.davidson@rancher.com> * Undo helm-controller pin Signed-off-by: Brad Davidson <brad.davidson@rancher.com> * Bump containerd to -k3s2 for stargz fix Signed-off-by: Brad Davidson <brad.davidson@rancher.com> * DevicePlugins featuregate is locked to on Signed-off-by: Brad Davidson <brad.davidson@rancher.com> * Bump kine for DeleteRange fix Signed-off-by: Brad Davidson <brad.davidson@rancher.com> * Update to v1.26.0-k3s1 Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * go mod tidy Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * Bring back snapshotter checks and update golang to 1.19.4 Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * fix windows containerd snapshotter checks Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> Signed-off-by: Brad Davidson <brad.davidson@rancher.com> Co-authored-by: Brad Davidson <brad.davidson@rancher.com>
2022-12-09 23:42:15 +00:00
func OverlaySupported(root string) error {
return overlayutils.Supported(root)
}
func FuseoverlayfsSupported(root string) error {
return fuseoverlayfs.Supported(root)
}
func StargzSupported(root string) error {
return stargz.Supported(root)
}