Daemonset install without reboot #1349
Conversation
Added a check to the osc-kata-install script to ensure the installation only proceeds when the NODE_LABEL environment variable is set. This prevents unintended behavior during daemonset deployment. Signed-off-by: Patrik Fodor <[email protected]>
…emonSet - Migrated peer-pods configuration handling into the osc-rpm DaemonSet. - Prepares for the transition where config files are bundled with the rpm package. - Simplifies the overall installation process and operator logic. - Lays groundwork for installing Kata Containers without requiring node reboot. Signed-off-by: Patrik Fodor <[email protected]>
openshift-ci
bot
added
the
needs-ok-to-test
|
Hi @Pacho20. Thanks for your PR. I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
Hey @Pacho20, I may be mistaken, but I think that That would explain why you need to kill and restart the process. |
|
The title of the first commit is a big long. And GitHub still does not have a way to comment directly on commit messages. |
| exit 1 | ||
| } | ||
|
|
||
| [[ -z "${NODE_LABEL:-}" ]] && { |
There was a problem hiding this comment.
The -u option is set, so if the variable is unset, it results in an error. Therefore, we don’t necessarily need :-, but using it allows us to set the variable to an empty string and thereby control the error message.
There was a problem hiding this comment.
I meant: You are adding a test to check if NODE_LABEL is not set, with an error message that essentially is a almost exactly what bash itself would give you.
I see no functional difference between
ERROR: NODE_LABEL env var must be set
and
NODEL_LABEL: unbound variable
So that code segment seems pointless to me.
Alternative: make the error message better, and send it to stderr instead of stdout.
| RUN mkdir -p /scripts | ||
|
|
||
| ADD osc-kata-install.sh osc-configs-script.sh osc-log-level.sh lib.sh /scripts/ | ||
| ADD osc-kata-install.sh osc-log-level.sh lib.sh /scripts/ |
There was a problem hiding this comment.
I don't really understand why merging two scripts into one makes things simpler. Isn't it clearer what each step does when they are separated? Aren't there cases where you would want to reconfigure without reinstalling?
There was a problem hiding this comment.
I removed most of the content from that script, so I thought moving it into the other one wouldn’t be a problem. I don’t think there are any cases that require reconfiguration. The two functions I moved to the other script will be removed anyway, since these config files will be part of the RPM package. Nevertheless, I think you’re right - it makes more sense to keep them in separate scripts.
| rm -rf /host/tmp/extensions/ | ||
|
|
||
| # Copy configs | ||
| copy_kata_remote_config_files |
There was a problem hiding this comment.
If the goal is to simplify the workflow, the same overall simplification could be achieved by simply invoking the config script, no?
There was a problem hiding this comment.
Yup, you're right about that.
| for _, node := range nodes { | ||
| r.Log.Info("node must be rebooted", "node", node.Name) | ||
| } | ||
| //r.scheduleInstallation(UninstallKata) |
There was a problem hiding this comment.
Is that a TODO or a leftover? AFAICT Uninstall is implemented, so looks to me like that code should be uncommented and the code above it removed?
There was a problem hiding this comment.
Ah, I think that the problem is that uninstall without reboot won't work. Add a comment here then
There was a problem hiding this comment.
correct. uninstall ran into issues so it's just disabled. As the primary use case I want fixed with this is worker updates, uninstall I'm fine leaving as customer must manually reboot worker to finish uninstall. It was left as a may implement later.
| exec_on_host "systemctl daemon-reload" | ||
| exec_on_host "systemctl restart crio" | ||
|
|
||
| wait_till_node_is_ready |
There was a problem hiding this comment.
Can we add a timeout on the various wait and error out if we exceed it?
If you want to use the timeout command, you will need to either export the wait functions or put them in some separate script. Or you can add your own custom timeout. But having no node reach the ready state seems like a condition we should be ready to deal with gracefully.
I offered node debug and lsof might answer this also |
I had a similar hypothesis. I checked the file descriptors with I checked where it comes from, and the config validator seems to ignore it and load the new runtime anyway. The relevant part of But even with successful reloading, when kubelet tries to invoke the You can find the code related to the error message here and the method using it, which is used in every The other thing I noticed (which is probably worse) while checking the kubelet logs is that the If anyone has more insight, I’d gladly hear it. |
|
@Pacho20 In the current state, this clearly needs quite a bit more work. Would you mind flagging it as do-not-merge until the PR is in a more complete state? |
openshift-ci
bot
added
the
do-not-merge/work-in-progress
This change introduces the use of rpm-ostree apply-live and restarts CRI-O, allowing both kata and kata-remote to function without requiring node reboots. Signed-off-by: Patrik Fodor <[email protected]>
Pacho20
force-pushed
the
daemonset-install-without-reboot
branch
from
09b0a6c to
47d28ac
Compare
openshift-merge-robot
added
the
needs-rebase
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
4 participants
- Description of the problem which is fixed/What is the use case
The DaemonSet installation mode requires manual node reboots, which complicates both installation and uninstallation. This can confuse users and results in a poor user experience. The introduced changes aim to eliminate the need for reboots and make the process more seamless, although the current solution is not fully complete.
- What I did
Removed the configuration script and DaemonSet, as they made the installation process unnecessarily complex. Added
rpm-ostree live-applyto enable Kata on worker nodes without rebooting. Extended the controller to schedule the installation process so that nodes are updated one at a time.Initially, I tried to use
systemctl reloadfor CRI-O instead of a full restart. This would have been a better solution because it avoids interrupting both CRI-O and kubelet and does not rely on their state restoration (which can fail in some cases). Whilereloadworks and CRI-O reloads its configuration, it fails to locate the executable for Kata runtime, returning the error:stat: no such file or directoryfor/usr/bin/containerd-shim-kata.The binary exists and works, but CRI-O cannot find it. I investigated multiple possibilities: checking the file in CRI-O’s namespace using
nsenter, verifying permissions, SELinux flags, mount options, kernel parameters—everything suggests CRI-O should be able to invoke the binary. I still have a few ideas to check the interaction between CRI-O and the kernel during this lookup. If you have any insight into why this happens or how to fix it, that would greatly simplify the installation process.As a fallback, I verified that CRI-O can invoke the Kata runtime after a full restart, so that is the current approach. However, this is not ideal because restarting CRI-O also triggers a kubelet restart (at least on ROKS). Installation works reliably because
rpm-ostree installtakes time, giving kubelet a chance to recover. Uninstallation, however, fails: although the script waits for the node to be in a "Ready" state, the node never becomes "NotReady" during kubelet restart. This means uninstall runs on other nodes while kubelet is still recovering, and triggers kubelet restarts on those nodes too, leaving the cluster in a broken state where most pods enterImagePullBackOfforCrashLoopBackOff. Recovery is possible by restarting pods in the right order, but this should not happen. I could not find a reliable way to detect when kubelet and CRI-O are fully restored, so for now I reintroduced manual reboot for uninstallation.One reason I pursued this approach is that the community operator uses a similar method successfully. They use the kata-deploy script - see:
https://github.com/kata-containers/kata-containers/blob/main/tools/packaging/kata-deploy/scripts/kata-deploy.sh#L764C10-L778.
Currently, I see three possible paths forward:
systemctl reloadwork for CRI-O without breaking Kata runtime.- How to verify it
Build the operator using the updated
scripts/kata-install/Dockerfile. Apply theKataConfigCR and wait until all nodes reach the "installed" status.- Description for the changelog
Change DaemonSet mode to eliminate node reboots (installation only; uninstallation still requires reboot for now).
EDIT: this is expected to fix https://issues.redhat.com/browse/KATA-4233