Hack to handle GKE COS Containerd #62
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
**Background** We've run into some problems with GKE's COS with the containerd runtime. This manifests as a permissions issue when attempting to use runc to initiate a side car container which mounts the `state` and `logs` paths (which are themselves hostmounted paths) from the daemonset **Change** Don't mount these paths as hostmounts Gremlin agent will create these inside the daemonset's pod's chroot and then mount those inside of the sidecar which does work properly. The only downside is we lose debuggability when the ds pod restarts as the folders aren't hostmounted. While this is undesirable it is acceptable to work around the GKE limitations In order to support this the Helm chart will identify if it's installing on to a GKE COS containerd environment before removing these hostmounts NOTE: Helm doesn't run the lookup command when running a `template` command or a `--dry-run` and you will not get the hostmounts removed when debugging that way. Instead you have to do the full installation to test
doshmajhan
approved these changes
Jan 3, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Background
We've run into some problems with GKE's COS with the containerd runtime.
This manifests as a permissions issue when attempting to use runc to
initiate a side car container which mounts the
stateandlogspaths(which are themselves hostmounted paths) from the daemonset
Change
Don't mount these paths as hostmounts
Gremlin agent will create these inside the daemonset's pod's chroot and
then mount those inside of the sidecar which does work properly. The
only downside is we lose debuggability when the ds pod restarts as the
folders aren't hostmounted. While this is undesirable it is acceptable
to work around the GKE limitations
In order to support this the Helm chart will identify if it's installing
on to a GKE COS containerd environment before removing these hostmounts
NOTE: Helm doesn't run the lookup command when running a
templatecommand or a
--dry-runand you will not get the hostmounts removedwhen debugging that way. Instead you have to do the full installation
to test