Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[containerd] Support containerd v2.0.x #11845

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

mzaian
Copy link
Contributor

@mzaian mzaian commented Jan 1, 2025

What type of PR is this?

/kind container-managers
/kind feature

What this PR does / why we need it:
Add hashes for containerd versions 2.0.[0-1]
containerd 2.0.0 release notes https://github.com/containerd/containerd/releases/tag/v2.0.0
containerd 2.0.1 release notes https://github.com/containerd/containerd/releases/tag/v2.0.1
Make containerd 2.0.1 default
Set containerd_limit_open_file_num to 1048576

Which issue(s) this PR fixes:

Fixes #11836

Does this PR introduce a user-facing change?:

Make containerd 2.0.1 default
Set containerd_limit_open_file_num to 1048576 so it's configurable.

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/container-managers Containers section in the release note kind/feature Categorizes issue or PR as related to a new feature. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Jan 1, 2025
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mzaian

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jan 1, 2025
@mzaian
Copy link
Contributor Author

mzaian commented Jan 1, 2025

I did not remove LimitNOFILE from containerd.service.j2 which is removed from the 2.0.x release. There is a discussion here: containerd/containerd#8924 about that.

@mzaian
Copy link
Contributor Author

mzaian commented Jan 1, 2025

/ok-to-test

@k8s-ci-robot k8s-ci-robot added the ok-to-test Indicates a non-member PR verified by an org member that is safe to test. label Jan 1, 2025
@mzaian mzaian requested review from yankay, VannTen and tico88612 January 1, 2025 12:52
@VannTen
Copy link
Contributor

VannTen commented Jan 1, 2025 via email

@yankay
Copy link
Member

yankay commented Jan 2, 2025

Hi @mzaian,

I do not recommend upgrading the default version of containerd to v2 for several reasons:

  • Breaking Changes: Containerd v2 introduces significant breaking changes that require migration. Currently, most Kubernetes users are still on v1.x.
  • Upstream Dependency: The upstream Kubernetes project does not have any plans to migrate to containerd v2 at this time, as they are still relying on v1.x. You can check the details here.

Given the magnitude of this change, I suggest that Kubespray should consider supporting both containerd v2 and v1 both, while keeping v1.x as the default. Once the upstream project transitions to v2, Kubespray can then update the default to v2.

/hold (for more discuss)

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 2, 2025
@mzaian
Copy link
Contributor Author

mzaian commented Jan 2, 2025

Hi @mzaian,

I do not recommend upgrading the default version of containerd to v2 for several reasons:

  • Breaking Changes: Containerd v2 introduces significant breaking changes that require migration. Currently, most Kubernetes users are still on v1.x.
  • Upstream Dependency: The upstream Kubernetes project does not have any plans to migrate to containerd v2 at this time, as they are still relying on v1.x. You can check the details here.

Given the magnitude of this change, I suggest that Kubespray should consider supporting both containerd v2 and v1 both, while keeping v1.x as the default. Once the upstream project transitions to v2, Kubespray can then update the default to v2.

/hold (for more discuss)

Hi @yankay

As we align with the upstream Kubernetes. Let's keep this on-hold for a future Kubespray release then.

@VannTen
Copy link
Contributor

VannTen commented Jan 3, 2025 via email

@mzaian mzaian force-pushed the support-containerd-2.0.x branch 2 times, most recently from 037b6e9 to fba3798 Compare January 6, 2025 09:56
@mzaian mzaian force-pushed the support-containerd-2.0.x branch from fba3798 to b730cf6 Compare January 6, 2025 13:31
@yankay
Copy link
Member

yankay commented Jan 7, 2025

Thanks @VannTen

/unhold

@yankay yankay removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 7, 2025
@mzaian
Copy link
Contributor Author

mzaian commented Jan 7, 2025

Thanks @VannTen

/unhold

Ok good then we can proceed and this will be out with the next release. So we have time to test and fix any issues when they occur.

@yankay
Copy link
Member

yankay commented Jan 7, 2025

Yes @mzaian 🎉

There some bugs with containerd v2.0 and kubenretes , eg:

@VannTen
Copy link
Contributor

VannTen commented Jan 7, 2025

So what about the LimitNOFile change ?

Also, maybe we should use a action required release note and link to containerd 2.0 release ?

@mzaian
Copy link
Contributor Author

mzaian commented Jan 7, 2025

So what about the LimitNOFile change ?

Also, maybe we should use a action required release note and link to containerd 2.0 release ?

I will add it again and add a release not for it.

@mzaian mzaian force-pushed the support-containerd-2.0.x branch from b730cf6 to 5c8dc3e Compare January 7, 2025 13:40
Copy link
Contributor

@VannTen VannTen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Regarding the service file, should we template based on containerd version ?
Aka keep Limit* on 1.7 ?

@@ -30,7 +30,6 @@ RestartSec=5
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNPROC={{ containerd_limit_proc_num }}
LimitCORE={{ containerd_limit_core }}
LimitNOFILE={{ containerd_limit_open_file_num }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think on systemd v240 we should use 1024:524288 as explained in containerd/containerd#8924 (comment)
(Rhel 8 and derivatives are on 239 if I believe Repology)

Not sure how to check for systemd version though 🤔

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about leaving this out of this PR and I can work separately in investigating this for all other supported operating systems.

Copy link
Member

@yankay yankay Jan 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @mzaian,

Would it be better to retain LimitNOFILE={{ containerd_limit_open_file_num }} and adjust the default value of containerd_limit_open_file_num to 1048576, similar to what was done in kubernetes/kops#16329?
This way, users can still customize containerd_limit_open_file_num, and avoid to use infinity

Thank you!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd rather follow containerd on that. In particular, this means running a pod locally with an untweaked config (in podman or docker ) could have a different behavior than in a kubespray cluster (if running into the issues when the soft limit is high).

@mzaian
Copy link
Contributor Author

mzaian commented Jan 7, 2025

Regarding the service file, should we template based on containerd version ? Aka keep Limit* on 1.7 ?

I can do this but first I will check if they cherry-picked this change to 1.7.x

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/container-managers Containers section in the release note kind/feature Categorizes issue or PR as related to a new feature. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Support: Containerd v2.0.x
4 participants