kubelet: enable crio

[rphillips]

Enables crio for the kubelet container runtime.

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: rphillips
To fully approve this pull request, please assign additional approvers.
We suggest the following additional approver: yifan-gu

If they are not already assigned, you can assign the PR to them by writing /assign @yifan-gu in a comment when ready.

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[abhinavdahiya]

@rphillips

• why is this file required?
• who uses this ?
• how will we configure it if we somebody needs to configure it for their internal registry ??

/cc @crawford

[rphillips]

The file is needed since crio gets installed with a default config which only includes the registry.access.redhat.com registry. docker.io needs to be added to the registry list to pull in defaulted docker images.

/cc @sjenning

[abhinavdahiya]

If this only affects images like openshift/origin-machine-config-operator:latest as this is not a fully qualified name, it should have been docker.io/openshift/origin-machine-config-operator:latest.

I rather have people use fully qualified names, than put this file on each machine... @crawford WDYT?

[abhinavdahiya]

@rphillips can you change this file to suggestion made in the installer here

[rphillips]

updated

[abhinavdahiya]

@rphillips also can you run go test ./pkg/controller/template/... -u to update the golden test files.

[rphillips]

@abhinavdahiya regenerated

[rphillips]

/hold

We may want to merge the cross-repo crio PR's all at once.

[crawford]

As mentioned in openshift/installer#234 (comment), can you remove these empty sections?

[rphillips]

updated

[wking]

Why did you need to set this? Did you hit an error without it, or is it just increasing robustness? What's the default value? How did you decide on 10m?

[sjenning]

default is 2m. probably doesn't need to be changed. i think the cri-o docs recommend this, but i don't think it is needed.

[wking]

default is 2m. probably doesn't need to be changed

I'm in favor of dropping it then. The fewer local opinions we need to maintain, the better :).

[rphillips]

Yeah, I took the runtime-request-timeout from this recommendation: https://github.com/kubernetes-sigs/cri-o/blob/master/kubernetes.md#preparing-kubelet

[abhinavdahiya]

Let's keep the time out then, as it might be required when we pull hyberkube image on slower network.

[wking]

It DRY things up a bit to have a templates/_base/all/files/container-registries.yaml or some such which would be added to both masters and workers. But perhaps that is more than we want to bite off in this particular PR.

[rphillips]

Updated the PR and removed the --runtime-request-timeout.

The default --runtime-request-timeout enforces a 2 minute timeout on image pulls... We may want to bump it up for slower networks.

[rphillips]

/hold cancel

[abhinavdahiya]

--cni-conf-dir, --cni-bin-dir, --network-pluging are no longer required as cri-o handles everything.

[rphillips]

Thanks. Removed those options.

[abhinavdahiya]

/hold

I was testing these changes yesterday, networking is not ready to be used with crio in installer yet. openshift/installer#235 (comment)

[abhinavdahiya]

The default --runtime-request-timeout enforces a 2 minute timeout on image pulls... We may want to bump it up for slower networks.

As it is recommended by https://github.com/kubernetes-sigs/cri-o/blob/master/kubernetes.md#preparing-kubelet Let's set it to 10m

[rphillips]

@abhinavdahiya I added support for a 10m timeout, and an environment variable and file to be able to overwrite the default

[sjenning]

I think all the feedback has been addressed. I've tested this an it works:

$ oc get nodes -o wide
NAME            STATUS    ROLES       AGE       VERSION           INTERNAL-IP      EXTERNAL-IP   OS-IMAGE                  KERNEL-VERSION               CONTAINER-RUNTIME
dev-bootstrap   Ready     bootstrap   5m        v1.11.0+d4cacc0   192.168.124.10   <none>        Red Hat CoreOS 4.0.5470   3.10.0-862.14.1.el7.x86_64   cri-o://1.11.2
dev-master-0    Ready     master      4m        v1.11.0+d4cacc0   192.168.124.11   <none>        Red Hat CoreOS 4.0.5470   3.10.0-862.14.1.el7.x86_64   cri-o://1.11.2
dev-worker-0    Ready     worker      4m        v1.11.0+d4cacc0   192.168.124.50   <none>        Red Hat CoreOS 4.0.5470   3.10.0-862.14.1.el7.x86_64   cri-o://1.11.2
dev-worker-1    Ready     worker      4m        v1.11.0+d4cacc0   192.168.124.51   <none>        Red Hat CoreOS 4.0.5470   3.10.0-862.14.1.el7.x86_64   cri-o://1.11.2

can this get approved?

[wking]

This looks good to me. @abhinavdahiya, do you want to mark your requested-change resolved?

[abhinavdahiya]

@wking #52 (comment)

lgtm this now will break installer.

[abhinavdahiya]

@rphillips @sjenning
Can you add these files to the PR:

$ cat templates/_base/master/files/etc-sysconfig-crio-network.yaml
filesystem: "root"
mode: 0644
path: "/etc/sysconfig/crio-network"
contents:
  inline: |
    CRIO_NETWORK_OPTIONS=--cni-config-dir=/etc/kubernetes/cni/net.d --cni-plugin-dir=/etc/kubernetes/cni/bin

$ cat templates/_base/worker/files/etc-sysconfig-crio-network.yaml
filesystem: "root"
mode: 0644
path: "/etc/sysconfig/crio-network"
contents:
  inline: |
    CRIO_NETWORK_OPTIONS=--cni-config-dir=/etc/kubernetes/cni/net.d --cni-plugin-dir=/etc/kubernetes/cni/bin
``

Also rebase to 2 commits, one with changes and one with generated test_data `go test ./pkg/controller/templates/.. -u`

[rphillips]

Closing in favor of #63