Noticed this in the CI output:
Requested golangci-lint 'v1.29', using 'v1.29.0', calculation took 7969ms
Installing golangci-lint v1.29.0...
Downloading https://github.com/golangci/golangci-lint/releases/download/v1.29.0/golangci-lint-1.29.0-darwin-amd64.tar.gz ...
Using nearly 8 seconds to convert v1.29 to v1.29.0 seems a bit long,
so hard-coding to the full version to speedup CI somewhat.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- hack/test-cri-integration.sh : called from Makefile
- hack/test-utils.sh : called from hack/test-cri-integration.sh
- hack/utils.sh : called from hack/test-utils.sh
Other files are no longer used and can be safely removed.
Kube test-infra doesn't seem to require the removed file as well: https://github.com/kubernetes/test-infra/search?q=containerd+hack
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
With container-selinux policy updated to 2.145+ (the default for Fedora 32+) we
can enable SELinux=Enforcing mode in the CI workflow and pass all integration
and CRI tests except one, see https://github.com/containerd/containerd/issues/4460,
which has been marked as skipped.
Tested locally with:
- SELINUX=Enforcing vagrant up --provision-with=shell,selinux,test-integration
- SELINUX=Enforcing vagrant up --provision-with=shell,selinux,test-cri
Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
Address an issue originally seen in the k3s 1.3 and 1.4 forks of containerd/cri, https://github.com/rancher/k3s/issues/2240
Even with updated container-selinux policy, container-local /dev/shm
will get mounted with container_runtime_tmpfs_t because it is a tmpfs
created by the runtime and not the container (thus, container_runtime_t
transition rules apply). The relabel mitigates such, allowing envoy
proxy to work correctly (and other programs that wish to write to their
/dev/shm) under selinux.
Tested locally with:
- SELINUX=Enforcing vagrant up --provision-with=shell,selinux,test-integration
- SELINUX=Enforcing CRITEST_ARGS=--ginkgo.skip='HostIpc is true' vagrant up --provision-with=shell,selinux,test-cri
- SELINUX=Permissive CRITEST_ARGS=--ginkgo.focus='HostIpc is true' vagrant up --provision-with=shell,selinux,test-cri
Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
Private registries that does not support http 2.0 such as Azure Container Registry streams back content in a max of 16KB chunks (max TLS record size). The small chunks introduce an overhead when copying the layers to the content store sine each chunk incurs the overhead of grpc message that has to be sent to the content store.
This change reduces this overhead by buffering the chunks into 1MB chunks and only then writes a message to the content store.
Below is a per comparsion between the 2 approaches using a couple of large images that are being pulled from the docker hub (http 2.0) and a private Azure CR (http 1.1) in seconds.
image | Buffered copy | master
------- |---------------|----------
docker.io/pytorch/pytorch:latest | 55.63 | 58.33
docker.io/nvidia/cuda:latest | 72.05 | 75.98
containerdpulltest.azurecr.io/pytorch/pytorch:latest | 61.45 | 77.1
containerdpulltest.azurecr.io/nvidia/cuda:latest | 77.13 | 85.47
Signed-off-by: Amr Mahdi <amramahdi@gmail.com>
