Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade Garden to Containerd v2.0 #368

Draft
wants to merge 4 commits into
base: develop
Choose a base branch
from
+223 −880
Draft

Upgrade Garden to Containerd v2.0 #368

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
2ef80df
Add containerd 2.0 to submodules
MarcPaquette Dec 6, 2024
e9e84a3
Packaging scripts to use submoduled Containerd 2.0
MarcPaquette Dec 6, 2024
f56bbb3
Update configuration files to V2 for Containerd
MarcPaquette Dec 13, 2024
e782a90
Fix RunC packaging
MarcPaquette Dec 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .gitmodules
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,3 +26,7 @@
path = src/garden-performance-acceptance-tests
url = https://github.com/cloudfoundry/garden-performance-acceptance-tests
branch = main
[submodule "src/containerd"]
path = src/containerd
url = https://github.com/containerd/containerd.git
branch = release/2.0
2 changes: 1 addition & 1 deletion jobs/garden/templates/bin/containerd_utils.erb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ start_containerd() {

echo "$!" > "$CONTAINERD_PIDFILE"

address=$(grep containerd.sock $containerd_config_filepath | awk '{print $3}' | tr -d '"')
address=$(grep containerd.sock $containerd_config_filepath | awk '{print $3}' | tr -d \')
while ! /var/vcap/packages/containerd/bin/ctr -a $address --connect-timeout 100ms c ls; do
log "waiting for containerd to become available"
sleep 0.1
Expand Down
230 changes: 202 additions & 28 deletions jobs/garden/templates/config/containerd.toml.erb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,33 +1,207 @@
root = "/var/vcap/data/containerd/root"
state = "/var/vcap/sys/run/containerd/state"
subreaper = true
version = 3
root = '/var/vcap/data/containerd/root'
state = '/var/vcap/sys/run/containerd/state'
temp = ''
plugin_dir = ''
disabled_plugins = ['io.containerd.snapshotter.v1.aufs',
'io.containerd.snapshotter.v1.devmapper',
'io.containerd.snapshotter.v1.overlayfs',
'io.containerd.snapshotter.v1.zfs',
'io.containerd.grpc.v1.walking',
'io.containerd.gc.v1.scheduler',
'io.containerd.service.v1.diff-service',
'io.containerd.service.v1.images-service',
'io.containerd.service.v1.namespaces-service',
'io.containerd.service.v1.snapshots-service',
'io.containerd.grpc.v1.diff',
'io.containerd.grpc.v1.healthcheck',
'io.containerd.grpc.v1.images',
'io.containerd.grpc.v1.namespaces',
'io.containerd.grpc.v1.snapshots',
'io.containerd.grpc.v1.version',
'io.containerd.grpc.v1.cri',
'io.containerd.grpc.v1.leases',
'io.containerd.service.v1.leases-service',
'io.containerd.internal.v1.restart']

required_plugins = []
oom_score = -999
disabled_plugins = [
"aufs",
"devmapper",
"overlayfs",
"zfs",
"walking",
"scheduler",
"diff-service",
"images-service",
"namespaces-service",
"snapshots-service",
"diff",
"healthcheck",
"images",
"namespaces",
"snapshots",
"version",
"cri",
"leases",
"leases-service",
"restart",
]
imports = []

[grpc]
address = "/var/vcap/sys/run/containerd/containerd.sock"
address = '/var/vcap/sys/run/containerd/containerd.sock'
tcp_address = ''
tcp_tls_ca = ''
tcp_tls_cert = ''
tcp_tls_key = ''
uid = 0
gid = 0
max_recv_message_size = 16777216
max_send_message_size = 16777216

[ttrpc]
address = ''
uid = 0
gid = 0

[debug]
address = "/var/vcap/sys/run/containerd/debug.sock"
level = "info"
address = '/var/vcap/sys/run/containerd/debug.sock'
uid = 0
gid = 0
level = 'info'
format = ''

[metrics]
address = ''
grpc_histogram = false

[plugins]
[plugins.'io.containerd.cri.v1.images']
snapshotter = 'overlayfs'
disable_snapshot_annotations = true
discard_unpacked_layers = false
max_concurrent_downloads = 3
image_pull_progress_timeout = '5m0s'
image_pull_with_sync_fs = false
stats_collect_period = 10

[plugins.'io.containerd.cri.v1.images'.pinned_images]
sandbox = 'registry.k8s.io/pause:3.10'

[plugins.'io.containerd.cri.v1.images'.registry]
config_path = ''

[plugins.'io.containerd.cri.v1.images'.image_decryption]
key_model = 'node'

[plugins.'io.containerd.cri.v1.runtime']
enable_selinux = false
selinux_category_range = 1024
max_container_log_line_size = 16384
disable_apparmor = false
restrict_oom_score_adj = false
disable_proc_mount = false
unset_seccomp_profile = ''
tolerate_missing_hugetlb_controller = true
disable_hugetlb_controller = true
device_ownership_from_security_context = false
ignore_image_defined_volumes = false
netns_mounts_under_state_dir = false
enable_unprivileged_ports = true
enable_unprivileged_icmp = true
enable_cdi = true
cdi_spec_dirs = ['/etc/cdi', '/var/run/cdi']
drain_exec_sync_io_timeout = '0s'
ignore_deprecation_warnings = []

[plugins.'io.containerd.cri.v1.runtime'.containerd]
default_runtime_name = 'runc'
ignore_blockio_not_enabled_errors = false
ignore_rdt_not_enabled_errors = false

[plugins.'io.containerd.cri.v1.runtime'.containerd.runtimes]
[plugins.'io.containerd.cri.v1.runtime'.containerd.runtimes.runc]
runtime_type = 'io.containerd.runc.v2'
runtime_path = ''
pod_annotations = []
container_annotations = []
privileged_without_host_devices = false
privileged_without_host_devices_all_devices_allowed = false
base_runtime_spec = ''
cni_conf_dir = ''
cni_max_conf_num = 0
snapshotter = ''
sandboxer = 'podsandbox'
io_type = ''

[plugins.'io.containerd.cri.v1.runtime'.containerd.runtimes.runc.options]
BinaryName = ''
CriuImagePath = ''
CriuWorkPath = ''
IoGid = 0
IoUid = 0
NoNewKeyring = false
Root = ''
ShimCgroup = ''

[plugins.'io.containerd.cri.v1.runtime'.cni]
bin_dir = '/opt/cni/bin'
conf_dir = '/etc/cni/net.d'
max_conf_num = 1
setup_serially = false
conf_template = ''
ip_pref = ''
use_internal_loopback = false

[plugins.'io.containerd.image-verifier.v1.bindir']
bin_dir = '/opt/containerd/image-verifier/bin'
max_verifiers = 10
per_verifier_timeout = '10s'

[plugins.'io.containerd.internal.v1.opt']
path = '/opt/containerd'

[plugins.'io.containerd.internal.v1.tracing']

[plugins.'io.containerd.metadata.v1.bolt']
content_sharing_policy = 'shared'

[plugins.'io.containerd.monitor.container.v1.restart']
interval = '10s'

[plugins.'io.containerd.monitor.task.v1.cgroups']
no_prometheus = false

[plugins.'io.containerd.nri.v1.nri']
disable = false
socket_path = '/var/run/nri/nri.sock'
plugin_path = '/opt/nri/plugins'
plugin_config_path = '/etc/nri/conf.d'
plugin_registration_timeout = '5s'
plugin_request_timeout = '2s'
disable_connections = false

[plugins.'io.containerd.runtime.v2.task']
platforms = ['linux/amd64']

[plugins.'io.containerd.service.v1.tasks-service']
blockio_config_file = ''
rdt_config_file = ''

[plugins.'io.containerd.shim.v1.manager']
env = []

[plugins.'io.containerd.snapshotter.v1.blockfile']
root_path = ''
scratch_file = ''
fs_type = ''
mount_options = []
recreate_scratch = false

[plugins.'io.containerd.snapshotter.v1.native']
root_path = ''

[plugins.'io.containerd.tracing.processor.v1.otlp']

[plugins.'io.containerd.transfer.v1.local']
max_concurrent_downloads = 3
max_concurrent_uploaded_layers = 3
config_path = ''

[cgroup]
path = ''

[stream_processors]
[stream_processors.'io.containerd.ocicrypt.decoder.v1.tar']
accepts = ['application/vnd.oci.image.layer.v1.tar+encrypted']
returns = 'application/vnd.oci.image.layer.v1.tar'
path = 'ctd-decoder'
args = ['--decryption-keys-path', '/etc/containerd/ocicrypt/keys']
env = ['OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf']

[stream_processors.'io.containerd.ocicrypt.decoder.v1.tar.gzip']
accepts = ['application/vnd.oci.image.layer.v1.tar+gzip+encrypted']
returns = 'application/vnd.oci.image.layer.v1.tar+gzip'
path = 'ctd-decoder'
args = ['--decryption-keys-path', '/etc/containerd/ocicrypt/keys']
env = ['OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf']
4 changes: 1 addition & 3 deletions packages/containerd/packaging
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,10 +10,8 @@ source /var/vcap/packages/golang-*-linux/bosh/compile.env
mkdir -p "${BOSH_INSTALL_TARGET}/bin"
export GOBIN="${BOSH_INSTALL_TARGET}/bin"

pushd src/guardian/vendor/github.com/containerd/containerd
pushd src/containerd
BUILDTAGS=no_btrfs make ./bin/containerd
BUILDTAGS=no_btrfs make ./bin/containerd-shim
BUILDTAGS=no_btrfs make ./bin/containerd-shim-runc-v1
BUILDTAGS=no_btrfs make ./bin/containerd-shim-runc-v2
BUILDTAGS=no_btrfs make ./bin/ctr
cp -R bin "${BOSH_INSTALL_TARGET}"
Expand Down
Loading