Page MenuHomePhabricator
Create Task
Maniphest T362408

Migration to containerd and away from docker
Open, HighPublic
Actions

Description

Per T269684 we need to move away from docker. In February 2024, the serviceops team announced the results of the evaluation of the candidate replacement engines. Results and criteria have been documented in Kubernetes/CRE. The chosen container runtime engine was containerd. This task describes the plan for the migration and tracks the migration process itself

Plan

containerd upgrade

  1. Package and build containerd from bookworm for bullseye. The reason for this is various configuration directives that exist in the version in bookworm are referenced in the kubernetes upstream docs. See https://kubernetes.io/docs/setup/production-environment/container-runtimes/#containerd. It also makes the migration to 1.25 kubernetes (T341984) a tad easier.
  2. Upload package to apt.wikimedia.org, upgrade staging nodes
  3. Upgrade all clusters to the newer containerd.
  4. Create puppetization for the configuration required by kubernetes

We 'll probably need a new profile profile::containerd or similar

Note: The upgrade process above doesn't require any kind of feature gating or flagging in puppet but rather just a deb-deploy manifest.

nerdctl

Docker has a relatively user friendly CLI. containerd doesn't. the ctr tool it ships with is a lower level, albeit useful tool. nerdctl, is a CLI released by the containerd project that is CLI compatible with docker CLI

  1. Package nerdctl. Probably utilizing our Upstream binaries policy to avoid the onus of having to build every since dependency
  2. Use puppet to install the package and populate a nerdctl configuration file /etc/nerdctl/nerdctl.toml to default to namespace k8s.io
  3. Test and approve.

Kubelet (the above are a prereq)

  1. Amend puppet to have behind a feature flag the following 2 parameters
--container-runtime-endpoint=unix:///run/containerd/containerd.sock 
--container-runtime=remote

Perform the migration in locksteps

Roughly for every batch of nodes

  1. Drain the nodes using kubectl drain --ignore-daemonsets=true --delete-emptydir-data=true
  2. Flip the feature flag in puppet for this batch
  3. Run puppet
  4. Rinse, repeat

Related Objects
Search...

Event Timeline

akosiaris created this task.Apr 12 2024, 1:44 PM
JMeybohm added a comment.Apr 15 2024, 8:02 AM

@akosiaris could you please double check in your test environment that containerd will still enforce the default apparmor profile (see Remove apparmor.security.beta.kubernetes.io/defaultProfileName in T273507: PodSecurityPolicies will be deprecated with Kubernetes 1.21) like docker currently does?

CDanis subscribed.Apr 18 2024, 7:20 PM
akosiaris mentioned this in T273507: PodSecurityPolicies will be deprecated with Kubernetes 1.21.Apr 24 2024, 11:21 AM
In T362408#9712356, @JMeybohm wrote:

@akosiaris could you please double check in your test environment that containerd will still enforce the default apparmor profile (see Remove apparmor.security.beta.kubernetes.io/defaultProfileName in T273507: PodSecurityPolicies will be deprecated with Kubernetes 1.21) like docker currently does?

Done in T273507#9739926

akosiaris updated the task description. (Show Details)Apr 24 2024, 1:59 PM
akosiaris updated the task description. (Show Details)
JMeybohm mentioned this in T365253: Allow Kubernetes workers to be deployed on Bookworm.May 17 2024, 1:57 PM
JMeybohm triaged this task as High priority.Wed, Jun 12, 3:18 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL