KEP-1981 Windows HostProcess containers KEP updates for beta #2865
Conversation
Signed-off-by: Mark Rossetti <[email protected]>
|
Skipping CI for Draft Pull Request. |
k8s-ci-robot
added
do-not-merge/work-in-progress
k8s-ci-robot
added
kind/kep
Signed-off-by: Mark Rossetti <[email protected]>
Signed-off-by: Mark Rossetti <[email protected]>
Signed-off-by: Mark Rossetti <[email protected]>
k8s-ci-robot
added
size/L
Signed-off-by: Mark Rossetti <[email protected]>
keps/sig-windows/1981-windows-privileged-container-support/README.md
Outdated
Show resolved
Hide resolved
keps/sig-windows/1981-windows-privileged-container-support/README.md
Outdated
Show resolved
Hide resolved
keps/sig-windows/1981-windows-privileged-container-support/README.md
Outdated
Show resolved
Hide resolved
keps/sig-windows/1981-windows-privileged-container-support/README.md
Outdated
Show resolved
Hide resolved
keps/sig-windows/1981-windows-privileged-container-support/README.md
Outdated
Show resolved
Hide resolved
keps/sig-windows/1981-windows-privileged-container-support/README.md
Outdated
Show resolved
Hide resolved
keps/sig-windows/1981-windows-privileged-container-support/README.md
Outdated
Show resolved
Hide resolved
keps/sig-windows/1981-windows-privileged-container-support/README.md
Outdated
Show resolved
Hide resolved
keps/sig-windows/1981-windows-privileged-container-support/README.md
Outdated
Show resolved
Hide resolved
keps/sig-windows/1981-windows-privileged-container-support/README.md
Outdated
Show resolved
Hide resolved
marosset
changed the title
…DME.md Co-authored-by: Brandon Smith <[email protected]>
…DME.md Co-authored-by: Brandon Smith <[email protected]>
…DME.md Co-authored-by: Brandon Smith <[email protected]>
keps/sig-windows/1981-windows-privileged-container-support/README.md
Outdated
Show resolved
Hide resolved
keps/sig-windows/1981-windows-privileged-container-support/README.md
Outdated
Show resolved
Hide resolved
s/hostProcess/`HostProcess` Co-authored-by: Danny Canter <[email protected]> Co-authored-by: Brandon Smith <[email protected]>
marosset
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
| - Note: We are prototyping a new approach to how the file system is created for `hostProcess` containers that would present the filesystem in a similar manner to non-hostProcess containers running on Windows (`c:\` (trailing \ included) would be the root instead of `c:\c\<container id>\`). | ||
| This would make it so files from volume mounts would be accessible via static paths. HostProcess containers would still have full access to the host file-system. | ||
| https://github.com/microsoft/hcsshim/pull/1107 is tracking this exploratory work. | ||
| This functionality will most-likely not be ready during Kubernetes v1.23 and any changes made to how volume mounts work would be done before this features becomes stable. |
There was a problem hiding this comment.
Can you outline how a workload could support both old and new behavior during a version upgrade?
There was a problem hiding this comment.
Hopefully there shouldn't be anything needed. Right now the environment variable we set points to the root of the volume that contains a merged view of the image layers (so basically the root of the rootfs, or C:\ in a windows server container, / on linux). For the new logic, we'd still set the env var, but just have it point to C:\ instead, so if your workload made heavy use of this envvar nothing should change really.
There was a problem hiding this comment.
Correct, if a workload is accessing files with the env var using the current behavior (where volume mounts show up under c:\c<contianer id>) the the workloads are expected to work without changes if/when we switch to the behavior Danny is prototyping.
After switching to the new behavior there use of the env var will be optional.
Let me update the KEP with this information.
There was a problem hiding this comment.
I updated the doc, please take a look.
keps/sig-windows/1981-windows-privileged-container-support/README.md
Outdated
Show resolved
Hide resolved
| - Note: it is not possible to feature-gate this behavior in client libraries and because of this the functionality should not be added to client libraries after `hostProcess` containers while this feature is in `alpha`. | ||
| - [kubernetes/kubernetes#104490](https://github.com/kubernetes/kubernetes/pull/104490) add support for `HostProcess` containers to the golang client library. | ||
| - Named Pipe mounts will **not** be supported. Instead named pipes should be accessed via their path on the host (\\\\.\\pipe\\*). | ||
| - Unix domain sockets mounts support will be added before `HostProcess` containers graduate to `stable`. For `alpha` and `beta` Unix domain sockets can be accessed via their paths on the host like named pipes. |
There was a problem hiding this comment.
It's surfaced today using hostpath but since hostprocess containers get access to the entire root filesystem, is it required?
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, marosset, msau42 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@liggitt @dchen1107 can you take a look? Thanks! |
|
/label tide/merge-method-squash |
k8s-ci-robot
added
the
tide/merge-method-squash
|
From sig node perspective, moving from annotations to native support is a good thing. Removing annotation string in CRI sounds OK to me. /lgtm |
k8s-ci-robot
added
the
lgtm
| - An environment variable `$CONTAINER_SANDBOX_MOUNT_POINT` will be set to the absolute path where the container volume is mounted for `hostProcess` containers. | ||
| - Note: Syntax for referencing environment variables differs depending on what shell you are using. In cmd.exe env vars are surrounded by %'s (ex: `%CONTAINER_SANDBOX_MOUNT_POINT%`) and in powershell env vars are prefixed with $env: (ex: `$env:CONTAINER_SANDBOX_MOUNT_POINT`). | ||
| - This environment variable will be set to `c:\c\<containerid>\` (trailing \ included!) for each container. | ||
| - This environment variable can be used inside the Pod manifest / command line args for containers. See files in this [pull request](https://github.com/kubernetes-sigs/sig-windows-tools/pull/161/files#diff-b8195f7a2ad8f9ae9ebdd1bde8a0f3756c4508c1d9d9dd99f4a3bfa19fc3b828R135) for examples of using `$CONTAINER_SANDBOX_MOUNT_POINT` inside deployment manifests. |
There was a problem hiding this comment.
we do the expansion locally
asked in the linked pull request, but it wasn't clear where the expansion was done... are $env:... and %env% expansions done for non-hostProcess command/args/workingDir fields as well?
There was a problem hiding this comment.
the $CONTAINER_SANDBOX_MOUNT_POINT env var is set by hcsshim for processes inside the Windows container when the container is started. Generally Windows does variable expansion for environment variables that are found in the path to an executable and for any env vars found in command line arguments when the executable is run.
This is the same behavior for non-hostProcess containers for command / args / workingDir.
For the CONTAINER_SANDBOX_MOUNT_POINT the variable expansion needs to happen inside of the container because the value won't be determined until after the hostProcesss containers are created.
keps/sig-windows/1981-windows-privileged-container-support/README.md
Outdated
Show resolved
Hide resolved
…mand / args / workingdir
k8s-ci-robot
removed
the
lgtm
|
/lgtm |
k8s-ci-robot
added
the
lgtm
k8s-ci-robot
removed
the
do-not-merge/hold
…tes#2865) * WIP: Windows HostProcess containers KEP updates for beta Signed-off-by: Mark Rossetti <[email protected]> * Fillling out PRR section Signed-off-by: Mark Rossetti <[email protected]> * Container Volume updates Signed-off-by: Mark Rossetti <[email protected]> * Container Image Build updates Signed-off-by: Mark Rossetti <[email protected]> * misc updates Signed-off-by: Mark Rossetti <[email protected]> * Update keps/sig-windows/1981-windows-privileged-container-support/README.md Co-authored-by: Brandon Smith <[email protected]> * Update keps/sig-windows/1981-windows-privileged-container-support/README.md Co-authored-by: Brandon Smith <[email protected]> * Update keps/sig-windows/1981-windows-privileged-container-support/README.md Co-authored-by: Brandon Smith <[email protected]> * Apply suggestions from code review s/hostProcess/`HostProcess` Co-authored-by: Danny Canter <[email protected]> Co-authored-by: Brandon Smith <[email protected]> * update keps/prod-readiness/sig-windows/1981.yaml * Addressing some TODOs * clarify CONTAINER_SANDBOX_MOUNT_POINT usage * Apply suggestions from code review Co-authored-by: Danny Canter <[email protected]> * cmd.exe and powershell env var behaviors * s/privileged/hostProcess * storage related feedback / updates * Add test criteria to validate different path syntax for container command / args / workingdir * do not update client libraries until file system investigations conclude Co-authored-by: Brandon Smith <[email protected]> Co-authored-by: Danny Canter <[email protected]>
…tes#2865) * WIP: Windows HostProcess containers KEP updates for beta Signed-off-by: Mark Rossetti <[email protected]> * Fillling out PRR section Signed-off-by: Mark Rossetti <[email protected]> * Container Volume updates Signed-off-by: Mark Rossetti <[email protected]> * Container Image Build updates Signed-off-by: Mark Rossetti <[email protected]> * misc updates Signed-off-by: Mark Rossetti <[email protected]> * Update keps/sig-windows/1981-windows-privileged-container-support/README.md Co-authored-by: Brandon Smith <[email protected]> * Update keps/sig-windows/1981-windows-privileged-container-support/README.md Co-authored-by: Brandon Smith <[email protected]> * Update keps/sig-windows/1981-windows-privileged-container-support/README.md Co-authored-by: Brandon Smith <[email protected]> * Apply suggestions from code review s/hostProcess/`HostProcess` Co-authored-by: Danny Canter <[email protected]> Co-authored-by: Brandon Smith <[email protected]> * update keps/prod-readiness/sig-windows/1981.yaml * Addressing some TODOs * clarify CONTAINER_SANDBOX_MOUNT_POINT usage * Apply suggestions from code review Co-authored-by: Danny Canter <[email protected]> * cmd.exe and powershell env var behaviors * s/privileged/hostProcess * storage related feedback / updates * Add test criteria to validate different path syntax for container command / args / workingdir * do not update client libraries until file system investigations conclude Co-authored-by: Brandon Smith <[email protected]> Co-authored-by: Danny Canter <[email protected]>
Signed-off-by: Mark Rossetti [email protected]