kubeadm: change the default CRI socket to containerd

Change the default container runtime CRI socket endpoint to the
one of containerd. Previously it was the one for Docker

- Rename constants.DefaultDockerCRISocket to DefaultCRISocket
- Make the constants files include the endpoints for all supported
container runtimes for Unix/Windows.
- Update unit tests related to docker runtime testing.
- In kubelet/flags.go hardcode the legacy docker socket as a check
to allow kubeadm 1.24 to run against kubelet 1.23 if the user
explicitly sets the criSocket field to "npipe:////./pipe/dockershim"
on Windows or "unix:///var/run/dockershim.sock" on Linux.
This commit is contained in:
Lubomir I. Ivanov 2022-01-04 23:15:12 +02:00
parent 936e12c930
commit ea2c948799
15 changed files with 50 additions and 47 deletions

View File

@ -169,7 +169,7 @@ limitations under the License.
// - system:bootstrappers:kubeadm:default-node-token // - system:bootstrappers:kubeadm:default-node-token
// nodeRegistration: // nodeRegistration:
// name: "ec2-10-100-0-1" // name: "ec2-10-100-0-1"
// criSocket: "unix:///var/run/dockershim.sock" // criSocket: "unix:///var/run/containerd/containerd.sock"
// taints: // taints:
// - key: "kubeadmNode" // - key: "kubeadmNode"
// value: "master" // value: "master"

View File

@ -173,7 +173,7 @@ limitations under the License.
// - system:bootstrappers:kubeadm:default-node-token // - system:bootstrappers:kubeadm:default-node-token
// nodeRegistration: // nodeRegistration:
// name: "ec2-10-100-0-1" // name: "ec2-10-100-0-1"
// criSocket: "unix:///var/run/dockershim.sock" // criSocket: "unix:///var/run/containerd/containerd.sock"
// taints: // taints:
// - key: "kubeadmNode" // - key: "kubeadmNode"
// value: "master" // value: "master"

View File

@ -579,7 +579,7 @@ func TestValidateJoinConfiguration(t *testing.T) {
}, },
NodeRegistration: kubeadmapi.NodeRegistrationOptions{ NodeRegistration: kubeadmapi.NodeRegistrationOptions{
Name: "aaa", Name: "aaa",
CRISocket: "unix:///var/run/dockershim.sock", CRISocket: "unix:///var/run/containerd/containerd.sock",
}, },
}, true}, }, true},
{&kubeadmapi.JoinConfiguration{ // Pass with JoinControlPlane {&kubeadmapi.JoinConfiguration{ // Pass with JoinControlPlane
@ -594,7 +594,7 @@ func TestValidateJoinConfiguration(t *testing.T) {
}, },
NodeRegistration: kubeadmapi.NodeRegistrationOptions{ NodeRegistration: kubeadmapi.NodeRegistrationOptions{
Name: "aaa", Name: "aaa",
CRISocket: "unix:///var/run/dockershim.sock", CRISocket: "unix:///var/run/containerd/containerd.sock",
}, },
ControlPlane: &kubeadmapi.JoinControlPlane{ ControlPlane: &kubeadmapi.JoinControlPlane{
LocalAPIEndpoint: kubeadmapi.APIEndpoint{ LocalAPIEndpoint: kubeadmapi.APIEndpoint{
@ -615,7 +615,7 @@ func TestValidateJoinConfiguration(t *testing.T) {
}, },
NodeRegistration: kubeadmapi.NodeRegistrationOptions{ NodeRegistration: kubeadmapi.NodeRegistrationOptions{
Name: "aaa", Name: "aaa",
CRISocket: "unix:///var/run/dockershim.sock", CRISocket: "unix:///var/run/containerd/containerd.sock",
}, },
ControlPlane: &kubeadmapi.JoinControlPlane{ ControlPlane: &kubeadmapi.JoinControlPlane{
LocalAPIEndpoint: kubeadmapi.APIEndpoint{ LocalAPIEndpoint: kubeadmapi.APIEndpoint{
@ -636,7 +636,7 @@ func TestValidateJoinConfiguration(t *testing.T) {
}, },
NodeRegistration: kubeadmapi.NodeRegistrationOptions{ NodeRegistration: kubeadmapi.NodeRegistrationOptions{
Name: "aaa", Name: "aaa",
CRISocket: "/var/run/dockershim.sock", CRISocket: "unix:///var/run/containerd/containerd.sock",
}, },
ControlPlane: &kubeadmapi.JoinControlPlane{ ControlPlane: &kubeadmapi.JoinControlPlane{
LocalAPIEndpoint: kubeadmapi.APIEndpoint{ LocalAPIEndpoint: kubeadmapi.APIEndpoint{

View File

@ -359,7 +359,7 @@ kind: InitConfiguration
localAPIEndpoint: localAPIEndpoint:
advertiseAddress: 192.0.2.1 advertiseAddress: 192.0.2.1
nodeRegistration: nodeRegistration:
criSocket: /path/to/dockershim.sock criSocket: "unix:///var/run/containerd/containerd.sock"
--- ---
apiVersion: %[1]s apiVersion: %[1]s
kind: ClusterConfiguration kind: ClusterConfiguration

View File

@ -211,7 +211,7 @@ func getDefaultNodeConfigBytes() ([]byte, error) {
}, },
}, },
NodeRegistration: kubeadmapiv1.NodeRegistrationOptions{ NodeRegistration: kubeadmapiv1.NodeRegistrationOptions{
CRISocket: constants.DefaultDockerCRISocket, // avoid CRI detection CRISocket: constants.DefaultCRISocket, // avoid CRI detection
}, },
}) })
if err != nil { if err != nil {

View File

@ -363,10 +363,10 @@ func TestImagesPull(t *testing.T) {
func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) }, func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) }, func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
}, },
LookPathFunc: func(cmd string) (string, error) { return "/usr/bin/docker", nil }, LookPathFunc: func(cmd string) (string, error) { return "/usr/bin/crictl", nil },
} }
containerRuntime, err := utilruntime.NewContainerRuntime(&fexec, constants.DefaultDockerCRISocket) containerRuntime, err := utilruntime.NewContainerRuntime(&fexec, constants.DefaultCRISocket)
if err != nil { if err != nil {
t.Errorf("unexpected NewContainerRuntime error: %v", err) t.Errorf("unexpected NewContainerRuntime error: %v", err)
} }

View File

@ -84,6 +84,8 @@ func runCleanupNode(c workflow.RunData) error {
klog.Warningf("[reset] Failed to remove containers: %v\n", err) klog.Warningf("[reset] Failed to remove containers: %v\n", err)
} }
// TODO: remove the dockershim directory cleanup in 1.25
// https://github.com/kubernetes/kubeadm/issues/2626
r.AddDirsToClean("/var/lib/dockershim", "/var/run/kubernetes", "/var/lib/cni") r.AddDirsToClean("/var/lib/dockershim", "/var/run/kubernetes", "/var/lib/cni")
// Remove contents from the config and pki directories // Remove contents from the config and pki directories

View File

@ -20,6 +20,13 @@ limitations under the License.
package constants package constants
const ( const (
// DefaultDockerCRISocket defines the default Docker CRI socket // CRISocketContainerd is the containerd CRI endpoint
DefaultDockerCRISocket = "unix:///var/run/dockershim.sock" CRISocketContainerd = "unix:///var/run/containerd/containerd.sock"
// CRISocketCRIO is the cri-o CRI endpoint
CRISocketCRIO = "unix:///var/run/crio/crio.sock"
// CRISocketDocker is the cri-dockerd CRI endpoint
CRISocketDocker = "unix:///var/run/cri-dockerd.sock"
// DefaultCRISocket defines the default CRI socket
DefaultCRISocket = CRISocketContainerd
) )

View File

@ -20,6 +20,14 @@ limitations under the License.
package constants package constants
const ( const (
// DefaultDockerCRISocket defines the default Docker CRI socket // CRISocketContainerd is the containerd CRI endpoint
DefaultDockerCRISocket = "npipe:////./pipe/docker_engine" CRISocketContainerd = "npipe:////./pipe/containerd-containerd"
// CRISocketCRIO is the cri-o CRI endpoint
// NOTE: this is a placeholder as CRI-O does not support Windows
CRISocketCRIO = "npipe:////./pipe/cri-o"
// CRISocketDocker is the cri-dockerd CRI endpoint
CRISocketDocker = "npipe:////./pipe/cri-dockerd"
// DefaultCRISocket defines the default CRI socket
DefaultCRISocket = CRISocketContainerd
) )

View File

@ -21,6 +21,7 @@ import (
"io/ioutil" "io/ioutil"
"os" "os"
"path/filepath" "path/filepath"
"runtime"
"strings" "strings"
"github.com/pkg/errors" "github.com/pkg/errors"
@ -102,7 +103,13 @@ func buildKubeletArgMapCommon(opts kubeletFlagsOpts) map[string]string {
// Once that happens only the "remote" branch option should be left. // Once that happens only the "remote" branch option should be left.
// TODO: https://github.com/kubernetes/kubeadm/issues/2626 // TODO: https://github.com/kubernetes/kubeadm/issues/2626
hasDockershim := opts.kubeletVersion.Major() == 1 && opts.kubeletVersion.Minor() < 24 hasDockershim := opts.kubeletVersion.Major() == 1 && opts.kubeletVersion.Minor() < 24
if opts.nodeRegOpts.CRISocket == constants.DefaultDockerCRISocket && hasDockershim { var dockerSocket string
if runtime.GOOS == "windows" {
dockerSocket = "npipe:////./pipe/dockershim"
} else {
dockerSocket = "unix:///var/run/dockershim.sock"
}
if opts.nodeRegOpts.CRISocket == dockerSocket && hasDockershim {
kubeletFlags["network-plugin"] = "cni" kubeletFlags["network-plugin"] = "cni"
} else { } else {
kubeletFlags["container-runtime"] = "remote" kubeletFlags["container-runtime"] = "remote"

View File

@ -52,7 +52,7 @@ func TestAnnotateCRISocket(t *testing.T) {
}, },
{ {
name: "CRI-socket annotation needs to be updated", name: "CRI-socket annotation needs to be updated",
currentCRISocketAnnotation: "unix:///var/run/dockershim.sock", currentCRISocketAnnotation: "unix:///foo/bar",
newCRISocketAnnotation: "unix:///run/containerd/containerd.sock", newCRISocketAnnotation: "unix:///run/containerd/containerd.sock",
expectedPatch: `{"metadata":{"annotations":{"kubeadm.alpha.kubernetes.io/cri-socket":"unix:///run/containerd/containerd.sock"}}}`, expectedPatch: `{"metadata":{"annotations":{"kubeadm.alpha.kubernetes.io/cri-socket":"unix:///run/containerd/containerd.sock"}}}`,
}, },

View File

@ -917,10 +917,10 @@ func TestImagePullCheck(t *testing.T) {
func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) }, func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) }, func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
}, },
LookPathFunc: func(cmd string) (string, error) { return "/usr/bin/docker", nil }, LookPathFunc: func(cmd string) (string, error) { return "/usr/bin/crictl", nil },
} }
containerRuntime, err := utilruntime.NewContainerRuntime(&fexec, constants.DefaultDockerCRISocket) containerRuntime, err := utilruntime.NewContainerRuntime(&fexec, constants.DefaultCRISocket)
if err != nil { if err != nil {
t.Errorf("unexpected NewContainerRuntime error: %v", err) t.Errorf("unexpected NewContainerRuntime error: %v", err)
} }

View File

@ -196,7 +196,7 @@ func DefaultedStaticInitConfiguration() (*kubeadmapi.InitConfiguration, error) {
LocalAPIEndpoint: kubeadmapiv1.APIEndpoint{AdvertiseAddress: "1.2.3.4"}, LocalAPIEndpoint: kubeadmapiv1.APIEndpoint{AdvertiseAddress: "1.2.3.4"},
BootstrapTokens: []bootstraptokenv1.BootstrapToken{PlaceholderToken}, BootstrapTokens: []bootstraptokenv1.BootstrapToken{PlaceholderToken},
NodeRegistration: kubeadmapiv1.NodeRegistrationOptions{ NodeRegistration: kubeadmapiv1.NodeRegistrationOptions{
CRISocket: kubeadmconstants.DefaultDockerCRISocket, // avoid CRI detection CRISocket: kubeadmconstants.DefaultCRISocket, // avoid CRI detection
Name: "node", Name: "node",
}, },
} }

View File

@ -124,7 +124,7 @@ func detectCRISocketImpl(isSocket func(string) bool) (string, error) {
if isSocket(dockerSocket) { if isSocket(dockerSocket) {
// the path in dockerSocket is not CRI compatible, hence we should replace it with a CRI compatible socket // the path in dockerSocket is not CRI compatible, hence we should replace it with a CRI compatible socket
foundCRISockets = append(foundCRISockets, constants.DefaultDockerCRISocket) foundCRISockets = append(foundCRISockets, constants.DefaultCRISocket)
} else if isSocket(containerdSocket) { } else if isSocket(containerdSocket) {
// Docker 18.09 gets bundled together with containerd, thus having both dockerSocket and containerdSocket present. // Docker 18.09 gets bundled together with containerd, thus having both dockerSocket and containerdSocket present.
// For compatibility reasons, we use the containerd socket only if Docker is not detected. // For compatibility reasons, we use the containerd socket only if Docker is not detected.
@ -140,7 +140,7 @@ func detectCRISocketImpl(isSocket func(string) bool) (string, error) {
switch len(foundCRISockets) { switch len(foundCRISockets) {
case 0: case 0:
// Fall back to Docker if no CRI is detected, we can error out later on if we need it // Fall back to Docker if no CRI is detected, we can error out later on if we need it
return constants.DefaultDockerCRISocket, nil return constants.DefaultCRISocket, nil
case 1: case 1:
// Precisely one CRI found, use that // Precisely one CRI found, use that
return foundCRISockets[0], nil return foundCRISockets[0], nil

View File

@ -89,11 +89,6 @@ func TestIsRunning(t *testing.T) {
LookPathFunc: func(cmd string) (string, error) { return "/usr/bin/crictl", nil }, LookPathFunc: func(cmd string) (string, error) { return "/usr/bin/crictl", nil },
} }
dockerExecer := fakeexec.FakeExec{
CommandScript: genFakeActions(&fcmd, len(fcmd.CombinedOutputScript)),
LookPathFunc: func(cmd string) (string, error) { return "/usr/bin/docker", nil },
}
cases := []struct { cases := []struct {
name string name string
criSocket string criSocket string
@ -102,8 +97,6 @@ func TestIsRunning(t *testing.T) {
}{ }{
{"valid: CRI-O is running", "unix:///var/run/crio/crio.sock", criExecer, false}, {"valid: CRI-O is running", "unix:///var/run/crio/crio.sock", criExecer, false},
{"invalid: CRI-O is not running", "unix:///var/run/crio/crio.sock", criExecer, true}, {"invalid: CRI-O is not running", "unix:///var/run/crio/crio.sock", criExecer, true},
{"valid: docker is running", constants.DefaultDockerCRISocket, dockerExecer, false},
{"invalid: docker is not running", constants.DefaultDockerCRISocket, dockerExecer, true},
} }
for _, tc := range cases { for _, tc := range cases {
@ -143,7 +136,6 @@ func TestListKubeContainers(t *testing.T) {
}{ }{
{"valid: list containers using CRI socket url", "unix:///var/run/crio/crio.sock", false}, {"valid: list containers using CRI socket url", "unix:///var/run/crio/crio.sock", false},
{"invalid: list containers using CRI socket url", "unix:///var/run/crio/crio.sock", true}, {"invalid: list containers using CRI socket url", "unix:///var/run/crio/crio.sock", true},
{"valid: list containers using docker", constants.DefaultDockerCRISocket, false},
} }
for _, tc := range cases { for _, tc := range cases {
@ -197,9 +189,6 @@ func TestRemoveContainers(t *testing.T) {
{"valid: remove containers using CRI", "unix:///var/run/crio/crio.sock", []string{"k8s_p1", "k8s_p2", "k8s_p3"}, false}, // Test case 1 {"valid: remove containers using CRI", "unix:///var/run/crio/crio.sock", []string{"k8s_p1", "k8s_p2", "k8s_p3"}, false}, // Test case 1
{"invalid: CRI rmp failure", "unix:///var/run/crio/crio.sock", []string{"k8s_p1", "k8s_p2", "k8s_p3"}, true}, {"invalid: CRI rmp failure", "unix:///var/run/crio/crio.sock", []string{"k8s_p1", "k8s_p2", "k8s_p3"}, true},
{"invalid: CRI stopp failure", "unix:///var/run/crio/crio.sock", []string{"k8s_p1", "k8s_p2", "k8s_p3"}, true}, {"invalid: CRI stopp failure", "unix:///var/run/crio/crio.sock", []string{"k8s_p1", "k8s_p2", "k8s_p3"}, true},
{"valid: remove containers using docker", constants.DefaultDockerCRISocket, []string{"k8s_c1", "k8s_c2", "k8s_c3"}, false},
{"invalid: docker rm failure", constants.DefaultDockerCRISocket, []string{"k8s_c1", "k8s_c2", "k8s_c3"}, true},
{"invalid: docker stop failure", constants.DefaultDockerCRISocket, []string{"k8s_c1", "k8s_c2", "k8s_c3"}, true},
} }
for _, tc := range cases { for _, tc := range cases {
@ -252,8 +241,6 @@ func TestPullImage(t *testing.T) {
}{ }{
{"valid: pull image using CRI", "unix:///var/run/crio/crio.sock", "image1", false}, {"valid: pull image using CRI", "unix:///var/run/crio/crio.sock", "image1", false},
{"invalid: CRI pull error", "unix:///var/run/crio/crio.sock", "image2", true}, {"invalid: CRI pull error", "unix:///var/run/crio/crio.sock", "image2", true},
{"valid: pull image using docker", constants.DefaultDockerCRISocket, "image1", false},
{"invalid: docker pull error", constants.DefaultDockerCRISocket, "image2", true},
} }
for _, tc := range cases { for _, tc := range cases {
@ -295,9 +282,7 @@ func TestImageExists(t *testing.T) {
result bool result bool
}{ }{
{"valid: test if image exists using CRI", "unix:///var/run/crio/crio.sock", "image1", false}, {"valid: test if image exists using CRI", "unix:///var/run/crio/crio.sock", "image1", false},
{"invalid: CRI inspecti failure", "unix:///var/run/crio/crio.sock", "image2", true}, {"invalid: CRI inspect failure", "unix:///var/run/crio/crio.sock", "image2", true},
{"valid: test if image exists using docker", constants.DefaultDockerCRISocket, "image1", false},
{"invalid: docker inspect failure", constants.DefaultDockerCRISocket, "image2", true},
} }
for _, tc := range cases { for _, tc := range cases {
@ -388,10 +373,10 @@ func TestDetectCRISocketImpl(t *testing.T) {
expectedSocket string expectedSocket string
}{ }{
{ {
name: "No existing sockets, use Docker", name: "No existing sockets, use default",
existingSockets: []string{}, existingSockets: []string{},
expectedError: false, expectedError: false,
expectedSocket: constants.DefaultDockerCRISocket, expectedSocket: constants.DefaultCRISocket,
}, },
{ {
name: "One valid CRI socket leads to success", name: "One valid CRI socket leads to success",
@ -399,12 +384,6 @@ func TestDetectCRISocketImpl(t *testing.T) {
expectedError: false, expectedError: false,
expectedSocket: "unix:///var/run/crio/crio.sock", expectedSocket: "unix:///var/run/crio/crio.sock",
}, },
{
name: "Correct Docker CRI socket is returned",
existingSockets: []string{"unix:///var/run/docker.sock"},
expectedError: false,
expectedSocket: constants.DefaultDockerCRISocket,
},
{ {
name: "CRI and Docker sockets lead to an error", name: "CRI and Docker sockets lead to an error",
existingSockets: []string{ existingSockets: []string{
@ -420,10 +399,10 @@ func TestDetectCRISocketImpl(t *testing.T) {
"unix:///run/containerd/containerd.sock", "unix:///run/containerd/containerd.sock",
}, },
expectedError: false, expectedError: false,
expectedSocket: constants.DefaultDockerCRISocket, expectedSocket: constants.DefaultCRISocket,
}, },
{ {
name: "A couple of CRI sockets lead to an error", name: "Multiple CRI sockets lead to an error",
existingSockets: []string{ existingSockets: []string{
"unix:///var/run/crio/crio.sock", "unix:///var/run/crio/crio.sock",
"unix:///run/containerd/containerd.sock", "unix:///run/containerd/containerd.sock",