Page MenuHomePhabricator
Create Task
Maniphest T284656

Toolforge k8s: Migrate workers to Containerd and Bookworm
Closed, ResolvedPublic
Actions

Description

To upgrade Kubernetes 1.24 we need to upgrade Toolforge workers to Containerd. We need Debian 12 for a new enough Containerd version.

toolsbeta

  • control
  • worker
  • ingress

tools

  • control
  • worker
  • ingress

Details

Show related patches Customize query in gerrit

Related Objects
Search...

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 9 2021, 2:35 PM
nskaggs triaged this task as Low priority.Aug 10 2021, 10:12 PM
taavi mentioned this in T280402: Upgrade Toolforge Kubernetes to latest 1.20.Oct 11 2021, 10:51 AM
Bstorm subscribed.Oct 12 2021, 3:35 PM

For this, we currently rely on docker settings to manage log length in containerd, much like prod does. We will want to find an equivalent later because some tools are otherwise very good at filling worker nodes (an old problem around here T148487). logrotate can handle it, but docker was quite good at it with fewer failures waiting for a logrotate run (yes people crashed k8s nodes between logrotate runs regularly, typically using java).

Whatever you use to solve that problem (some containerd setting or podman thing?), just know that our users can certainly outsmart logrotate by mistake.

Bstorm added a comment.Oct 12 2021, 3:40 PM

Looks like https://kubernetes.io/docs/reference/config-api/kubelet-config.v1beta1/#kubelet-config-k8s-io-v1beta1-KubeletConfiguration has options (not the snazziest when it comes to puppetizing, but you can).

Bstorm added a comment.Oct 12 2021, 3:47 PM

Oh yeah, please don't remove docker-ce from the repos unless you account for the harbor use of it, also. It's running in docker compose and currently using our kubeadm components to do it.

taavi added a comment.Oct 13 2021, 8:58 AM
In T284656#7420325, @Bstorm wrote:

Oh yeah, please don't remove docker-ce from the repos unless you account for the harbor use of it, also. It's running in docker compose and currently using our kubeadm components to do it.

I was planning on just using what Debian packages, https://packages.debian.org/bullseye/docker.io and https://apt-browser.toolforge.org/buster-wikimedia/thirdparty/kubeadm-k8s-1-20/ both seem recent enough. Good to know Harbor needs this though, thanks!

taavi added a comment.Feb 16 2022, 7:00 PM

Based on https://github.com/containerd/containerd/issues/4830, https://github.com/kubernetes/enhancements/issues/2411, and CRIContainerLogRotation on https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/ I think Kubernetes will automatically deal with log rotation on Containerd as needed.

taavi added a parent task: T307651: Upgrade Toolforge Kubernetes to version 1.24.May 5 2022, 6:58 AM
taavi mentioned this in T311908: Migrate Toolforge Kubernetes hosts to Debian Bullseye or later.Jul 2 2022, 12:22 PM
fnegri edited projects, added cloud-services-team; removed cloud-services-team (Kanban).Jan 18 2023, 6:51 PM
fnegri moved this task from Kanban to Inbox on the cloud-services-team board.
taavi added a comment.Jan 19 2023, 11:59 AM

Beware: Kubernetes 1.24 requires containerd v1.6.4+ or v1.5.11+, while Bullseye repositories have 1.4.13. Bookworm (bullseye + 1) will ship with 1.6, or we might need to use third-party packages which I'd really rather not do.

taavi renamed this task from Toolforge k8s: Migrate from Docker to Containerd to Toolforge k8s: Migrate workers to Containerd and Bookworm.Oct 18 2023, 1:04 PM
taavi raised the priority of this task from Low to Medium.
taavi updated the task description. (Show Details)
taavi added a parent task: T311908: Migrate Toolforge Kubernetes hosts to Debian Bullseye or later.
taavi removed a subscriber: Bstorm.
gerritbot added a comment.Oct 23 2023, 10:15 AM

Change 967875 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] aptrepo: Import kubeadm 1.23 for bookworm

https://gerrit.wikimedia.org/r/967875

gerritbot added a project: Patch-For-Review.Oct 23 2023, 10:15 AM
gerritbot added a comment.Oct 25 2023, 9:35 AM

Change 968618 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] P:wmcs::kubeadm: rely on iptables-nft on bookworm

https://gerrit.wikimedia.org/r/968618

gerritbot added a comment.Oct 25 2023, 9:59 AM

Change 967875 merged by Majavah:

[operations/puppet@production] aptrepo: Import kubeadm 1.23 for bookworm

https://gerrit.wikimedia.org/r/967875

Stashbot added a comment.Oct 25 2023, 10:02 AM

Mentioned in SAL (#wikimedia-operations) [2023-10-25T10:02:03Z] <taavi> import kubernetes 1.23 packages for debian bookworm T284656

gerritbot added a comment.Oct 25 2023, 10:06 AM

Change 968623 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] P:wmcs::kubeadm: install containerd on bookworm

https://gerrit.wikimedia.org/r/968623

gerritbot added a comment.Oct 25 2023, 10:25 AM

Change 968618 merged by Majavah:

[operations/puppet@production] P:wmcs::kubeadm: rely on iptables-nft on bookworm

https://gerrit.wikimedia.org/r/968618

gerritbot added a comment.Oct 25 2023, 10:25 AM

Change 968623 merged by Majavah:

[operations/puppet@production] P:wmcs::kubeadm: install containerd on bookworm

https://gerrit.wikimedia.org/r/968623

Maintenance_bot removed a project: Patch-For-Review.Oct 25 2023, 10:30 AM
gerritbot added a comment.Oct 25 2023, 11:24 AM

Change 968634 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] kubeadm: only install containerd.io with docker

https://gerrit.wikimedia.org/r/968634

gerritbot added a project: Patch-For-Review.Oct 25 2023, 11:24 AM

Change 968635 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] kubeadm: containerd: install br_netfilter kmod

https://gerrit.wikimedia.org/r/968635

gerritbot added a comment.Oct 25 2023, 12:04 PM

Change 968647 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] kubeadm: add required config for containerd

https://gerrit.wikimedia.org/r/968647

taavi edited projects, added Toolforge (Toolforge iteration 01); removed Toolforge.Oct 25 2023, 12:40 PM
taavi moved this task from Next Up to In Progress on the Toolforge (Toolforge iteration 01) board.
taavi claimed this task.Oct 25 2023, 1:27 PM
dcaro edited projects, added Toolforge (Toolforge iteration 02); removed Toolforge (Toolforge iteration 01).Oct 25 2023, 1:54 PM
dcaro moved this task from Next Up to In Progress on the Toolforge (Toolforge iteration 02) board.
taavi added a comment.Oct 25 2023, 4:18 PM

The above patches make it possible to provision a new host on bookworm. There are a couple of issues however:

  • cadvisor does not work
  • the extra volume for /var/lib/docker has not been ported yet
  • I haven't checked if the log file max size still works
CodeReviewBot added a comment.Oct 26 2023, 8:08 AM

taavi opened https://gitlab.wikimedia.org/repos/cloud/toolforge/wmcs-k8s-metrics/-/merge_requests/4

chart: update cadvisor to 0.47.2

taavi closed subtask T349795: Upgrade cadvisor as Resolved.Oct 30 2023, 2:05 PM
taavi reopened subtask T349795: Upgrade cadvisor as Open.Nov 1 2023, 2:22 PM
gerritbot added a comment.Nov 2 2023, 10:25 AM

Change 968634 merged by Majavah:

[operations/puppet@production] kubeadm: only install containerd.io with docker

https://gerrit.wikimedia.org/r/968634

gerritbot added a comment.Nov 2 2023, 10:25 AM

Change 968635 merged by Majavah:

[operations/puppet@production] kubeadm: containerd: add kernel modules and config

https://gerrit.wikimedia.org/r/968635

gerritbot added a comment.Nov 2 2023, 10:27 AM

Change 968647 merged by Majavah:

[operations/puppet@production] kubeadm: add required config for containerd

https://gerrit.wikimedia.org/r/968647

dcaro edited projects, added Toolforge (Toolforge iteration 03); removed Toolforge (Toolforge iteration 02).Jan 9 2024, 3:28 PM
dcaro moved this task from Next Up to In Progress on the Toolforge (Toolforge iteration 03) board.
dcaro changed the task status from Open to In Progress.Jan 18 2024, 5:06 PM
taavi closed subtask T349795: Upgrade cadvisor as Resolved.Jan 24 2024, 9:16 AM
dcaro edited projects, added Toolforge (Toolforge iteration 04); removed Toolforge (Toolforge iteration 03).Jan 24 2024, 9:17 AM
dcaro moved this task from Next Up to In Progress on the Toolforge (Toolforge iteration 04) board.
taavi added a comment.Jan 24 2024, 10:03 AM

cadvisor does not work

Fixed with the upgrade.

I haven't checked if the log file max size still works

According to the Kubernetes docs, "containerLogMaxSize is a quantity defining the maximum size of the container log file before it is rotated. For example: "5Mi" or "256Ki". If DynamicKubeletConfig (deprecated; default off) is on, when dynamically updating this field, consider that it may trigger log rotation. Default: "10Mi"". So I think we're fine.

So that leaves the extra volume. It seems like Containerd spreads what Docker stores in /var/lib/docker to a few different places so we need to workaround that somehow.

gerritbot added a comment.Jan 24 2024, 10:21 AM

Change 992633 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] P:wmcs::kubeadm: worker: support containerd separate volume

https://gerrit.wikimedia.org/r/992633

gerritbot added a comment.Jan 24 2024, 10:34 AM

Change 992633 merged by Majavah:

[operations/puppet@production] P:wmcs::kubeadm: worker: support containerd separate volume

https://gerrit.wikimedia.org/r/992633

taavi added a parent task: T355883: Create a pool of NFS-less Toolforge Kubernetes workers.Jan 25 2024, 1:00 PM
gerritbot added a comment.Jan 25 2024, 1:02 PM

Change 992923 had a related patch set uploaded (by Majavah; author: Majavah):

[cloud/wmcs-cookbooks@main] toolforge: add_k8s_node: Add support for containerd

https://gerrit.wikimedia.org/r/992923

gerritbot added a comment.Jan 25 2024, 1:02 PM

Change 992926 had a related patch set uploaded (by Majavah; author: Majavah):

[cloud/wmcs-cookbooks@main] toolforge: add_k8s_node: Allow passing --network

https://gerrit.wikimedia.org/r/992926

taavi added a parent task: T262562: [infra] Fix the mis-named k8s service in tools and toolsbeta projects.Jan 26 2024, 11:02 AM
gerritbot added a comment.Jan 26 2024, 1:44 PM

Change 992923 merged by jenkins-bot:

[cloud/wmcs-cookbooks@main] toolforge: add_k8s_node: Add support for containerd

https://gerrit.wikimedia.org/r/992923

taavi mentioned this in rCCKBf7b93271fc13: toolforge: add_k8s_node: Add support for containerd.Jan 26 2024, 1:44 PM
gerritbot added a comment.Jan 29 2024, 6:54 PM

Change 992926 merged by jenkins-bot:

[cloud/wmcs-cookbooks@main] toolforge: add_k8s_node: Allow passing --network

https://gerrit.wikimedia.org/r/992926

taavi mentioned this in rCCKBaa0ff4ab1f8b: toolforge: add_k8s_node: Allow passing --network.Jan 29 2024, 6:54 PM
dcaro edited projects, added Toolforge (Toolforge iteration 05); removed Toolforge (Toolforge iteration 04).Feb 6 2024, 5:43 PM
dcaro moved this task from Next Up to In Progress on the Toolforge (Toolforge iteration 05) board.
taavi updated the task description. (Show Details)Feb 13 2024, 3:18 PM
taavi mentioned this in T357901: Request increased server-group-members quota for tools.Feb 19 2024, 12:30 PM
taavi added a subtask: T357901: Request increased server-group-members quota for tools.
taavi closed subtask T357901: Request increased server-group-members quota for tools as Resolved.Feb 19 2024, 12:34 PM
taavi updated the task description. (Show Details)Feb 20 2024, 2:17 PM
taavi updated the task description. (Show Details)Feb 20 2024, 4:07 PM
dcaro edited projects, added Toolforge (Toolforge iteration 06); removed Toolforge (Toolforge iteration 05).Feb 21 2024, 10:10 AM
dcaro moved this task from Next Up to In Progress on the Toolforge (Toolforge iteration 06) board.
Stashbot added a comment.Feb 22 2024, 9:29 AM

Mentioned in SAL (#wikimedia-cloud-feed) [2024-02-22T09:29:38Z] <aborrero@cloudcumin1001> START - Cookbook wmcs.toolforge.add_k8s_node for a control role in the tools cluster (T284656)

aborrero subscribed.Feb 22 2024, 9:30 AM

Running cookbook:

aborrero@cloudcumin1001:~ $ sudo cookbook wmcs.toolforge.add_k8s_node --cluster-name tools --task-id T284656 --role control

If this were the first bookworm control node, we would add the argument --image debian-12.0-bookworm, but since it is not, the cookbook will use the last node image.

aborrero added a project: User-aborrero.Feb 22 2024, 9:30 AM
Stashbot added a comment.Feb 22 2024, 11:23 AM

Mentioned in SAL (#wikimedia-cloud-feed) [2024-02-22T11:23:02Z] <aborrero@cloudcumin1001> START - Cookbook wmcs.toolforge.remove_k8s_node (T284656)

Stashbot added a comment.Feb 22 2024, 11:23 AM

Mentioned in SAL (#wikimedia-cloud-feed) [2024-02-22T11:23:50Z] <aborrero@cloudcumin1001> END (PASS) - Cookbook wmcs.toolforge.remove_k8s_node (exit_code=0) (T284656)

aborrero added a comment.EditedFeb 22 2024, 11:32 AM

I plan to upgrade the last control node next monday 2024-02-26.

aborrero moved this task from Backlog to Next on the User-aborrero board.Feb 22 2024, 11:56 AM
gerritbot added a comment.Feb 22 2024, 2:09 PM

Change 1005766 had a related patch set uploaded (by Arturo Borrero Gonzalez; author: Arturo Borrero Gonzalez):

[cloud/wmcs-cookbooks@main] inventory: refresh tools k8s control nodes

https://gerrit.wikimedia.org/r/1005766

gerritbot added a comment.Feb 22 2024, 2:13 PM

Change 1005766 merged by Arturo Borrero Gonzalez:

[cloud/wmcs-cookbooks@main] inventory: refresh tools k8s control nodes

https://gerrit.wikimedia.org/r/1005766

aborrero mentioned this in rCCKB3a57a2190a4d: inventory: refresh tools k8s control nodes.Feb 22 2024, 2:14 PM
gerritbot added a comment.Feb 23 2024, 10:49 AM

Change 1005954 had a related patch set uploaded (by Majavah; author: Majavah):

[cloud/wmcs-cookbooks@main] toolforge: k8s: Support containerd as container runtime

https://gerrit.wikimedia.org/r/1005954

gerritbot added a comment.Feb 23 2024, 10:54 AM

Change 1005954 merged by jenkins-bot:

[cloud/wmcs-cookbooks@main] toolforge: k8s: Support containerd as container runtime

https://gerrit.wikimedia.org/r/1005954

taavi mentioned this in rCCKB97306ac49c27: toolforge: k8s: Support containerd as container runtime.Feb 23 2024, 10:55 AM
Stashbot added a comment.Feb 26 2024, 9:26 AM

Mentioned in SAL (#wikimedia-cloud-feed) [2024-02-26T09:26:11Z] <aborrero@cloudcumin1001> START - Cookbook wmcs.toolforge.add_k8s_node for a control role in the tools cluster (T284656)

Stashbot added a comment.Feb 26 2024, 9:54 AM

Mentioned in SAL (#wikimedia-cloud-feed) [2024-02-26T09:53:59Z] <aborrero@cloudcumin1001> START - Cookbook wmcs.toolforge.remove_k8s_node (T284656)

Stashbot added a comment.Feb 26 2024, 9:54 AM

Mentioned in SAL (#wikimedia-cloud-feed) [2024-02-26T09:54:45Z] <aborrero@cloudcumin1001> END (PASS) - Cookbook wmcs.toolforge.remove_k8s_node (exit_code=0) (T284656)

aborrero mentioned this in rCCKB065ba61a1cfb: inventory: refresh tools-k8s-control nodes.Feb 26 2024, 10:02 AM
aborrero closed this task as Resolved.EditedFeb 26 2024, 10:52 AM
aborrero updated the task description. (Show Details)

This is done:

aborrero@tools-sgebastion-11:~$ kubectl sudo get nodes -o wide | grep control
tools-k8s-control-7       Ready    control-plane,master   5d1h    v1.23.17   172.16.0.144   <none>        Debian GNU/Linux 12 (bookworm)   6.1.0-18-cloud-amd64   containerd://1.6.20
tools-k8s-control-8       Ready    control-plane,master   4d1h    v1.23.17   172.16.5.194   <none>        Debian GNU/Linux 12 (bookworm)   6.1.0-18-cloud-amd64   containerd://1.6.20
tools-k8s-control-9       Ready    control-plane,master   77m     v1.23.17   172.16.3.135   <none>        Debian GNU/Linux 12 (bookworm)   6.1.0-18-cloud-amd64   containerd://1.6.20
dcaro moved this task from In Progress to Done on the Toolforge (Toolforge iteration 06) board.Mar 5 2024, 9:34 AM
aborrero closed subtask T358476: toolforge k8s: some static pods needs manual restart as Resolved.Mar 5 2024, 2:45 PM
gerritbot added a comment.Mar 14 2024, 3:21 PM

Change 1011138 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] kubeadm: Drop buster support

https://gerrit.wikimedia.org/r/1011138

gerritbot added a comment.Mar 18 2024, 11:09 AM

Change 1011138 merged by Majavah:

[operations/puppet@production] kubeadm: Drop buster support

https://gerrit.wikimedia.org/r/1011138

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits