New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Identify, document and maybe remove kubelet dependencies #26093
Comments
@pwittrock What is the best way to document these requirements moving forward? |
@luxas Classy digging, and this is super-useful to have. +100 We should decide at what level we want to document transitive deps. For example, cadvisor is going to begin calling |
@vishh I think adding a page to the "Administering Clusters" at http://kubernetes.io/docs/ would be the best place |
@pmorie Thanks :) It took some time to dig out. When we document it, I think we should present them in groups, e.g. always required, required with option But we should also get rid of some:
|
Automatic merge from submit-queue Do not call NewFlannelServer() unless flannel overlay is enabled Ref: #26093 This makes so kubelet does not warn the user that iptables isn't in PATH, although the user didn't enable the flannel overlay. @vishh @freehan @bprashanth
Some things I've learned so far (will update the list)
|
There's a dependency on |
@pmorie Added. Do you remember any others right now? |
@luxas Nope, I just saw that one during a code review. |
In addition to documenting these, I think it would be useful to check for all of them on kubelet startup. Hard dependencies should log fatal errors, and soft dependencies could log warnings. |
nfs-utils (at least on Fedora/Red Hat/CentOS based systems) is needed by the nfs volume plugin. |
ceph-common (at least on Fedora/Red Hat/CentOS based systems) is needed for the ceph volume plugin |
glusterfs-fuse should be all that is needed for using the gluster storage plugin (at least on Fedora/Red Hat/CentOS based systems). |
iscsi-initiator-utils (Fedora/Red Hat/CentOS based systems) is needed by the iscsi volume plugin |
@timstclair I'm not sure you would want a fatal error if a storage plugin dependency isn't available, I would expect them to just not be loaded (and an obvious event and log message generated) if that is the case. |
Thanks @detiber! (And for anyone out there that knows even more deps of the kubelet, comment!) I think @timstclair meant that all storage drivers are soft deps, so kubelet would log a warning. |
Is this part of NodeSpec? I am still unclear what kubernetes/enhancements#56 is trying to describe. |
Just noticed that
|
Summarizing the PATH requirements for kubelet (oh my!):
Hard requirements (kubelet should fail without these):
I'm not sure if these should be hard or soft deps:
How to remove some dependencies (before v1.4):
A dedicated I can start to implement a WDYT? |
Not only we need |
I was thinking about this a bit over the weekend, and have an idea I'd like to float before writing a more formal proposal. It's not a complete solution to this problem, but should help:
What does this get us?
WDYT? Is it worth pursuing this idea further? * It even enables things like a 'registration' mechanism, so binaries can report their dependencies and check them at startup (differentiating required & optional deps). |
@tallclair This proposal is extremely valuable. Being able to audit what tools are shelled out to helps with security, packaging, and maintenance. We could ship an image or package of standard 'shell utilities', be able to upgrade them and audit them for security vulnerabilities when needed. Couple thoughts:
|
+1 here. This will make it easier to make sure all OS or distro-dependent exec calls are audited and sanitized. |
/assign @tallclair |
I'm not sure if that's the right place to drop that (perhaps new issue should be created?), but for people running For my project, I run I documented it here, even though it's probably incomplete, as I didn't test everything yet. |
this type of documentation improvement is nice to have. |
Just a note here - I had my own version of nsenter installed (via pip3 install) on ubuntu20. This caused a continual kubelet crash which took a while to diagnose - kubelet of course wanted nsenter from util-linux. It sure would be nice if the preflight called out the dependency on the distro version of nsenter. Oct 09 18:45:59 faucet kubelet[296741]: E1009 18:45:59.180219 296741 pod_workers.go:191] Error syncing pod db24ffc3-ef58-45b8-87f9-6da3dd701ce7 ("coredns-f9fd979d6-7d488_kube-system(db24ffc3-ef58-45b8-87f9-6da3dd701ce7)"), skipping: failed to "StartContainer" for "coredns" with CrashLoopBackOff: "back-off 40s restarting failed container=coredns pod=coredns-f9fd979d6-7d488_kube-system(db24ffc3-ef58-45b8-87f9-6da3dd701ce7)" |
/joke |
@XuanYang-cn: A termite walks into a bar and asks “Is the bar tender here?” In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/triage accepted |
/priority important-longterm |
/remove-priority backlog |
This issue has not been updated in over 1 year, and should be re-triaged. You can:
For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/ /remove-triage accepted |
This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
HI @thockin, Could you please share why did you close this one? |
Mostly backlog grooming. This is 7 years old and the last meaningful update was 3 years ago. Does it serve a purpose to leave it open? Is someone going to do it? It's a wonderful idea....if someone will act on it, let's reopen? |
Kubelet has a few dependencies, and we should be aware of them, document them so users know what's the minimum amount of other programs kubelet needs around it to execute successfully.
I'm testing this by compiling kubelet statically and running it in a
busybox
container with absolutely nothing. I've been surprised how well it runs after all.I'm listing some, both hard and soft dependencies:
glibc
: hard dependency on the right libraries at runtime. We should get rid of this, as it's unnecessary: Make all Kubernetes binaries statically linked #26028root
access: hard dependency and unavoidable. The kubelet has to have full control of the machine (CAP_SYS_ADMIN
is one of the privs that are needed, at least when running in a container)cgroups
cpu
andmemory
: required and used in the meantimecpuacct
andcpuset
: required but not used (but @vishh said they will be used in the future)journalctl
: bug in cAdvisor, should not be requirediptables
: Is required for the kubelet it seems: Do not call NewFlannelServer() unless flannel overlay is enabled #26264, although now flannel isn't initialized when not used.ethtool
: Required forhairpin
code. I do not really understand whathairpin
is required/used for... @thockin @bprashanthnsenter
: Used asutil/io/writer
when--containerized
. Used by--docker-exec-handler
, but not default. Used withsocat
for port forwarding within a pod.mount
,umount
andfindmnt
: Used inNsenterWriter
inutil/io/writer
socat
: Used for port forwarding within a pod. codetouch
: Used byrkt
codedocker
orrkt
obviouslysystemd
? Doesrkt
require asystemd
host? @yifan-gu/:ro
it must be able to read from the whole host/var/run/:rw
required for communicating with docker, setting up certs etc./sys/:rw
for variouscgroup
things/var/lib/kubelet:rw
and/var/lib/docker:rw
it obviously must be able to write to it's own and docker's dirfor
kube-proxy
:iptables
: is of course a hard requirement. But the problem is that (as it seems) iptables has to be linked dynamically, which sets aglibc
dep on thekube-proxy
image.conntrack
: used for limiting requests (I think)inside client containers:
env
: Seems like it's required inside a container that Kubernetes is running, but only when using--docker-exec-handler=native
codevolume plugins:
dmidecode
: required for the vsphere pluginglusterfs-server
,glusterfs-client
are required for theglusterfs
plugingit
is required for the git pluginPlease correct me if I'm wrong, and comment if there is anything I've missed.
Would appreciate discussion about this (and we should have multi-platform Kubernetes in mind)
cc @vishh @smarterclayton @mikedanese @pmorie
The text was updated successfully, but these errors were encountered: