| kata-dev-irc-bot | <eric.ernst> no more K8S Helm talk? | 00:09 |
|---|---|---|
| kata-dev-irc-bot | <eric.ernst> Or just needing one in addition? | 00:10 |
| kata-dev-irc-bot | <eric.ernst> @tpepper | 00:10 |
| kata-dev-irc-bot | <eric.ernst> That's not too soon. | 00:10 |
| kata-dev-irc-bot | <tpepper> I’m not sure if it was a …Helmer? or Helmet? … who dropped or if you’d be talk 2 of 2? | 00:11 |
| *** mylinux has quit IRC | 00:22 | |
| kata-dev-irc-bot | <mayank.kumar> @eric.ernst i do see the containerId from the pod yaml in the cc-runtime list . you were referring to some annotations which decide in the workload, can you tell me which annotation are you referring to | 00:43 |
| *** mylinux_ has joined #kata-general | 00:47 | |
| kata-dev-irc-bot | <eric.ernst> In CRIO it is io.kubernetes.cri-o.TrustedSandbox: "false" | 01:06 |
| kata-dev-irc-bot | <eric.ernst> example pod yaml: https://github.com/egernst/k8s-testing-scripts/blob/master/nginx-untrusted.yaml | 01:06 |
| kata-dev-irc-bot | <eric.ernst> there's a -trusted one as well | 01:06 |
| kata-dev-irc-bot | <eric.ernst> but how that annotation is interpreted then also depends on how crio is configured, specifically default trust level, etc. This is all described on that medium post, IIRC | 01:07 |
| *** mylinux_ has quit IRC | 01:30 | |
| *** sjas_ has joined #kata-general | 01:35 | |
| *** mylinux_ has joined #kata-general | 01:37 | |
| *** sjas has quit IRC | 01:38 | |
| kata-dev-irc-bot | <mayank.kumar> thanks @eric.ernst | 01:46 |
| kata-dev-irc-bot | <mayank.kumar> i have the following setting ``` cat /etc/crio/crio.conf | grep ^default_work default_workload_trust = "untrusted" root@worker-3:~/go/src/github.com/clearcontainers/tests/integration/kubernetes# cat /etc/crio/crio.conf | grep ^run runroot = "/var/run/containers/storage" runtime = "/usr/local/bin/crio-runc" runtime_untrusted_workload = "/usr/local/bin/cc-runtime" ``` | 01:46 |
| kata-dev-irc-bot | <mayank.kumar> but when i launch the pod with annotation trusted it still launches with the cc-runtime | 01:46 |
| kata-dev-irc-bot | <mayank.kumar> how can i fix it ? | 01:46 |
| kata-dev-irc-bot | <mayank.kumar> i am using the following yaml ``` apiVersion: v1 kind: Pod metadata: annotations: io.kubernetes.cri-o.TrustedSandbox: "true" name: ubuntu-pod2 spec: containers: - name: ubuntu image: "ubuntu:14.04" command: ["top"] stdin: true tty: true ``` | 01:47 |
| kata-dev-irc-bot | <eric.ernst> @mayank.kumar pasted from that blog write-up: When the default workload type is set to untrusted, the provided untrusted runtime in the CRI-O configuration will be used for all non-privileged containers regardless of the value of io.kubernetes.cri-o.TrustedSandbox. This rule ensures all workloads can be run using Clear Containers without any changes to default payload definitions. The result could be running all | 02:09 |
| kata-dev-irc-bot | non-infrastructure pods in Clear Containers with relative ease. In the event that an untrusted runtime is not defined when configuring CRI-O, all containers will fall back to the trusted runtime, which is configured by default as runc. | 02:09 |
| kata-dev-irc-bot | <eric.ernst> Hope that clarifies! | 02:09 |
| kata-dev-irc-bot | <mayank.kumar> if i change that to trusted(in crio.conf) do i need to restart something , i want to show a demo where i show one running through runc and other running through cc-runtime | 02:10 |
| kata-dev-irc-bot | <mayank.kumar> trying `systemctl restart crio` hopefully that fixes it | 02:19 |
| *** liujiong has joined #kata-general | 02:30 | |
| *** mylinux_ has quit IRC | 02:30 | |
| kata-dev-irc-bot | <mayank.kumar> hmm i think that fixxed it but `cc-runtime list` stopped working it seems | 02:37 |
| kata-dev-irc-bot | <mayank.kumar> i started the untrsuted pod and immediately saw a new qemu process but nithing in the cc-runtime list | 02:37 |
| kata-dev-irc-bot | <mayank.kumar> it seems there is some cleanup needed ``` cc-runtime list stat /var/lib/containers/storage/overlay/52e633703a812c8be925096afaba4d5346b92835e5b0a91e54c89dbb7ad311d6/merged: no such file or directory``` | 02:38 |
| *** mylinux has joined #kata-general | 03:19 | |
| *** mylinux has quit IRC | 03:25 | |
| *** liujiong has quit IRC | 03:46 | |
| *** mylinux has joined #kata-general | 04:21 | |
| *** mylinux has quit IRC | 04:26 | |
| *** jodh has joined #kata-general | 07:38 | |
| *** jodh has joined #kata-general | 07:38 | |
| *** gwhaley has joined #kata-general | 09:06 | |
| kata-dev-irc-bot | <samuel.ortiz> @mayank.kumar It makes more sense to set the default to trusted and annotate your pods with "untrusted" to show the mixed runtime use case. | 09:43 |
| *** mylinux has joined #kata-general | 10:20 | |
| *** mylinux has quit IRC | 10:25 | |
| *** gwhaley has quit IRC | 11:58 | |
| *** gwhaley has joined #kata-general | 13:20 | |
| *** mylinux_ has joined #kata-general | 13:39 | |
| *** jodh has quit IRC | 15:00 | |
| *** jodh has joined #kata-general | 15:00 | |
| *** jodh has joined #kata-general | 15:00 | |
| kata-dev-irc-bot | <mayank.kumar> thanks @samuel.ortiz | 16:28 |
| kata-dev-irc-bot | <mayank.kumar> for some reason cc-runtime has stopped working and it just shows the above message | 16:28 |
| kata-dev-irc-bot | <mayank.kumar> do you know a way to clean that up | 16:29 |
| kata-dev-irc-bot | <mayank.kumar> i see the new qemu processes but nothing in the cc-runtime list | 16:29 |
| kata-dev-irc-bot | <eric.ernst> @mayank.kumar I think this has to do with how kubeadm reset is being handled. | 17:12 |
| kata-dev-irc-bot | <eric.ernst> AFAIU, in that older version of CRIO/K8S, the reset is attempting to happen with help from docker, rather than using the crio socket. | 17:12 |
| kata-dev-irc-bot | <eric.ernst> So appropriate kill isn't ever coming down to the cc-runtime, resulting in some artifacts being left about. | 17:13 |
| kata-dev-irc-bot | <eric.ernst> I *think* that may be what you're running into. | 17:13 |
| kata-dev-irc-bot | <eric.ernst> Thankfully our testing just (this morning) moved to using latest (ish) K8S/CRIO now | 17:14 |
| *** leadfoot has joined #kata-general | 17:18 | |
| *** jodh has quit IRC | 18:02 | |
| *** gwhaley has quit IRC | 18:33 | |
| *** justJanne has quit IRC | 20:04 | |
| *** justJanne has joined #kata-general | 20:06 | |
| *** mylinux_ has quit IRC | 20:30 | |
| *** mylinux has joined #kata-general | 20:31 | |
| *** mylinux has quit IRC | 20:50 | |
| *** mylinux_ has joined #kata-general | 20:59 | |
| *** mylinux_ has quit IRC | 21:12 | |
| *** mylinux has joined #kata-general | 21:21 | |
| *** mylinux has quit IRC | 23:11 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!