diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d9b0bbb40..f7794a838 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -244,7 +244,7 @@ jobs: fail-fast: false matrix: os: [windows-2019, windows-2022] - enable_cri_sandboxes: ["", "sandboxed"] + disable_cri_sandboxes: ["", "legacyCRI"] defaults: run: @@ -335,7 +335,7 @@ jobs: - name: Integration 1 env: CGO_ENABLED: 1 - ENABLE_CRI_SANDBOXES: ${{ matrix.enable_cri_sandboxes }} + DISABLE_CRI_SANDBOXES: ${{ matrix.disable_cri_sandboxes }} GOTESTSUM_JUNITFILE: ${{github.workspace}}/test-integration-serial-junit.xml GOTESTSUM_JSONFILE: ${{github.workspace}}/test-integration-serial-gotest.json EXTRA_TESTFLAGS: "-timeout=20m" @@ -353,7 +353,7 @@ jobs: TESTFLAGS_PARALLEL: 1 EXTRA_TESTFLAGS: "-short" CGO_ENABLED: 1 - ENABLE_CRI_SANDBOXES: ${{ matrix.enable_cri_sandboxes }} + DISABLE_CRI_SANDBOXES: ${{ matrix.disable_cri_sandboxes }} GOTESTSUM_JUNITFILE: ${{github.workspace}}/test-integration-parallel-junit.xml GOTESTSUM_JSONFILE: ${{github.workspace}}/test-integration-parallel-gotest.json run: mingw32-make.exe integration @@ -366,14 +366,14 @@ jobs: - name: CRI Integration Test env: - ENABLE_CRI_SANDBOXES: ${{ matrix.enable_cri_sandboxes }} + DISABLE_CRI_SANDBOXES: ${{ matrix.disable_cri_sandboxes }} TEST_IMAGE_LIST: ${{github.workspace}}/repolist.toml run: | make cri-integration - name: cri-tools critest env: - ENABLE_CRI_SANDBOXES: ${{ matrix.enable_cri_sandboxes }} + DISABLE_CRI_SANDBOXES: ${{ matrix.disable_cri_sandboxes }} CRI_TEST_IMAGES: ${{github.workspace}}/cri-test-images.yaml shell: powershell run: | @@ -409,7 +409,7 @@ jobs: runtime: - io.containerd.runc.v2 runc: [runc, crun] - enable_cri_sandboxes: ["", "sandboxed"] + DISABLE_CRI_SANDBOXES: ["", "legacyCRI"] env: GOTEST: gotestsum -- @@ -464,7 +464,7 @@ jobs: env: TEST_RUNTIME: ${{ matrix.runtime }} RUNC_FLAVOR: ${{ matrix.runc }} - ENABLE_CRI_SANDBOXES: ${{ matrix.enable_cri_sandboxes }} + DISABLE_CRI_SANDBOXES: ${{ matrix.disable_cri_sandboxes }} GOTESTSUM_JUNITFILE: ${{github.workspace}}/test-integration-serial-junit.xml GOTESTSUM_JSONFILE: ${{github.workspace}}/test-integration-serial-gotest.json run: | @@ -483,7 +483,7 @@ jobs: env: TEST_RUNTIME: ${{ matrix.runtime }} RUNC_FLAVOR: ${{ matrix.runc }} - ENABLE_CRI_SANDBOXES: ${{ matrix.enable_cri_sandboxes }} + DISABLE_CRI_SANDBOXES: ${{ matrix.disable_cri_sandboxes }} GOTESTSUM_JUNITFILE: ${{github.workspace}}/test-integration-parallel-junit.xml GOTESTSUM_JSONFILE: ${{github.workspace}}/test-integration-parallel-gotest.json run: | @@ -500,14 +500,14 @@ jobs: - name: CRI Integration Test env: TEST_RUNTIME: ${{ matrix.runtime }} - ENABLE_CRI_SANDBOXES: ${{ matrix.enable_cri_sandboxes }} + DISABLE_CRI_SANDBOXES: ${{ matrix.disable_cri_sandboxes }} run: | CONTAINERD_RUNTIME=$TEST_RUNTIME make cri-integration - name: cri-tools critest env: TEST_RUNTIME: ${{ matrix.runtime }} - ENABLE_CRI_SANDBOXES: ${{ matrix.enable_cri_sandboxes }} + DISABLE_CRI_SANDBOXES: ${{ matrix.disable_cri_sandboxes }} run: | sudo -E PATH=$PATH ./script/critest.sh "${{github.workspace}}/report" diff --git a/RELEASES.md b/RELEASES.md index 14c13edbc..24a16726a 100644 --- a/RELEASES.md +++ b/RELEASES.md @@ -386,6 +386,8 @@ The deprecated features are shown in the following table: | `cri-containerd-*.tar.gz` release bundles | containerd v1.6 | containerd v2.0 | Use `containerd-*.tar.gz` bundles | | Pulling Schema 1 images (`application/vnd.docker.distribution.manifest.v1+json`) | containerd v1.7 | containerd v2.0 | Use Schema 2 or OCI images | | CRI `v1alpha2` | containerd v1.7 | containerd v2.0 ✅ | Use CRI `v1` | +| Legacy CRI implementation of podsandbox support | containerd v2.0 | containerd v2.1 | Disabled by default in 2.0 in favor of core sandboxed CRI plugin (use `DISABLE_CRI_SANDBOXES=1` to fallback to prior CRI podsandbox implementation) | + ### Deprecated config properties The deprecated properties in [`config.toml`](./docs/cri/config.md) are shown in the following table: diff --git a/Vagrantfile b/Vagrantfile index 23675a81f..c866bea3b 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -272,7 +272,7 @@ EOF 'GOTESTSUM_JUNITFILE': ENV['GOTESTSUM_JUNITFILE'], 'GOTESTSUM_JSONFILE': ENV['GOTESTSUM_JSONFILE'], 'GITHUB_WORKSPACE': '', - 'ENABLE_CRI_SANDBOXES': ENV['ENABLE_CRI_SANDBOXES'], + 'DISABLE_CRI_SANDBOXES': ENV['DISABLE_CRI_SANDBOXES'], } sh.inline = <<~SHELL #!/usr/bin/env bash diff --git a/containerd.service b/containerd.service index 38a345945..05e809da5 100644 --- a/containerd.service +++ b/containerd.service @@ -18,8 +18,8 @@ Documentation=https://containerd.io After=network.target local-fs.target [Service] -#uncomment to enable the experimental sbservice (sandboxed) version of containerd/cri integration -#Environment="ENABLE_CRI_SANDBOXES=sandboxed" +#uncomment to fallback to legacy CRI plugin implementation with podsandbox support. +#Environment="DISABLE_CRI_SANDBOXES=1" ExecStartPre=-/sbin/modprobe overlay ExecStart=/usr/local/bin/containerd diff --git a/contrib/Dockerfile.test b/contrib/Dockerfile.test index b04217573..11825c4b1 100644 --- a/contrib/Dockerfile.test +++ b/contrib/Dockerfile.test @@ -94,7 +94,7 @@ RUN make BUILDTAGS="no_btrfs no_devmapper" bin/cri-integration.test RUN ./script/setup/install-failpoint-binaries # The test scripts need these env vars to be explicitly set ENV GITHUB_WORKSPACE="" -ENV ENABLE_CRI_SANDBOXES="" +ENV DISABLE_CRI_SANDBOXES="" ENV CONTAINERD_RUNTIME="io.containerd.runc.v2" CMD ["make", "cri-integration"] diff --git a/integration/sandbox_run_rollback_test.go b/integration/sandbox_run_rollback_test.go index e17dea2e8..96aa89c71 100644 --- a/integration/sandbox_run_rollback_test.go +++ b/integration/sandbox_run_rollback_test.go @@ -293,8 +293,7 @@ func TestRunPodSandboxAndTeardownCNISlow(t *testing.T) { assert.Equal(t, sb.Metadata.Uid, sbConfig.Metadata.Uid) assert.Equal(t, sb.Metadata.Attempt, sbConfig.Metadata.Attempt) - switch os.Getenv("ENABLE_CRI_SANDBOXES") { - case "": + if os.Getenv("DISABLE_CRI_SANDBOXES") != "" { // non-sbserver t.Log("Get sandbox info (non-sbserver)") _, info, err := SandboxInfo(sb.Id) @@ -319,7 +318,7 @@ func TestRunPodSandboxAndTeardownCNISlow(t *testing.T) { metadata, ok := i.(*sandbox.Metadata) require.True(t, ok) assert.Equal(t, netNS, metadata.NetNSPath, "network namespace path should be the same in runtime spec and sandbox metadata") - default: + } else { // sbserver t.Log("Get sandbox info (sbserver)") _, info, err := sbserverSandboxInfo(sb.Id) @@ -328,7 +327,6 @@ func TestRunPodSandboxAndTeardownCNISlow(t *testing.T) { assert.NotEmpty(t, info.Metadata.NetNSPath, "network namespace should be set") } - } // sbserverSandboxInfo gets sandbox info. diff --git a/pkg/cri/config/config.go b/pkg/cri/config/config.go index 3966e549a..719812242 100644 --- a/pkg/cri/config/config.go +++ b/pkg/cri/config/config.go @@ -78,7 +78,7 @@ type Runtime struct { // See https://github.com/containerd/containerd/issues/6657 for details. Snapshotter string `toml:"snapshotter" json:"snapshotter"` // SandboxMode defines which sandbox runtime to use when scheduling pods - // This features requires experimental CRI server to be enabled (use ENABLE_CRI_SANDBOXES=1) + // This features requires the new CRI server implementation (enabled by default in 2.0) // shim - means use whatever Controller implementation provided by shim (e.g. use RemoteController). // podsandbox - means use Controller implementation from sbserver podsandbox package. SandboxMode string `toml:"sandbox_mode" json:"sandboxMode"` diff --git a/pkg/cri/cri.go b/pkg/cri/cri.go index 577905cbe..2eaa28d0e 100644 --- a/pkg/cri/cri.go +++ b/pkg/cri/cri.go @@ -88,8 +88,8 @@ func initCRIService(ic *plugin.InitContext) (interface{}, error) { } var s server.CRIService - if os.Getenv("ENABLE_CRI_SANDBOXES") != "" { - log.G(ctx).Info("using experimental CRI Sandbox server - unset ENABLE_CRI_SANDBOXES to disable") + if os.Getenv("DISABLE_CRI_SANDBOXES") == "" { + log.G(ctx).Info("using CRI Sandbox server - use DISABLE_CRI_SANDBOXES=1 to fallback to legacy CRI") s, err = sbserver.NewCRIService(c, client, getNRIAPI(ic)) } else { log.G(ctx).Info("using legacy CRI server") diff --git a/script/test/cri-integration.sh b/script/test/cri-integration.sh index 442054a4b..fbc8019b2 100755 --- a/script/test/cri-integration.sh +++ b/script/test/cri-integration.sh @@ -44,9 +44,9 @@ test_setup "${REPORT_DIR}" CMD="" if [ -n "${sudo}" ]; then CMD+="${sudo} " - # sudo strips environment variables, so add ENABLE_CRI_SANDBOXES back if present - if [ -n "${ENABLE_CRI_SANDBOXES}" ]; then - CMD+="ENABLE_CRI_SANDBOXES='${ENABLE_CRI_SANDBOXES}' " + # sudo strips environment variables, so add DISABLE_CRI_SANDBOXES back if present + if [ -n "${DISABLE_CRI_SANDBOXES}" ]; then + CMD+="DISABLE_CRI_SANDBOXES='${DISABLE_CRI_SANDBOXES}' " fi fi CMD+="${PWD}/bin/cri-integration.test" diff --git a/script/test/utils.sh b/script/test/utils.sh index 8eedc040e..b49d3ac0e 100755 --- a/script/test/utils.sh +++ b/script/test/utils.sh @@ -215,9 +215,9 @@ run_containerd() { CMD="" if [ -n "${sudo}" ]; then CMD+="${sudo} " - # sudo strips environment variables, so add ENABLE_CRI_SANDBOXES back if present - if [ -n "${ENABLE_CRI_SANDBOXES}" ]; then - CMD+="ENABLE_CRI_SANDBOXES='${ENABLE_CRI_SANDBOXES}' " + # sudo strips environment variables, so add DISABLE_CRI_SANDBOXES back if present + if [ -n "${DISABLE_CRI_SANDBOXES}" ]; then + CMD+="DISABLE_CRI_SANDBOXES='${DISABLE_CRI_SANDBOXES}' " fi fi CMD+="${PWD}/bin/containerd"