Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-3527

Allow to configure additional parameters via ContainerRuntimeConfig

    XMLWordPrintable

Details

    • Feature Request
    • Resolution: Done
    • Blocker
    • None
    • None
    • MCO, Node
    • 100
    • 100% 100%

    Description

      1. Proposed title of this feature request

      Allow to configure additional parameters via ContainerRuntimeConfig.

       

      2. What is the nature and description of the request?

      To configure CRI-O, the ContainerRuntimeConfig should be used instead of manually creating a MC to apply the changes, as that could cause that other configurations are overwritten by the MC. Some configurations are currently missing from the ContainerRuntimeConfig, like for example the skip_mount_home in the /etc/containers/storage.conf, suggested as a workaround for bug 2065283 (see comment #32 [2]).

      This RFE is to allow configuring additional parameters in the ContainerRuntimeConfig resource (and not only the skip_mount_home), for configuring /etc/crio/crio.conf and /etc/containers/storage.conf.

       

      3. Why does the customer need this? (List the business requirements here)

      Customer's use case:

      Our agent runs as a daemonset in k8s clusters and monitors the node.
      Running with mount propagation set to HostToContainer allows the agent to access any container file, also containers which start running after agent startup. With this settings, when a new container starts, a new mount is created and added to the host mount namespace and also to the agent container and by that the agent can access the container files
      e.g. the agent is mounted to /host and can access to the filesystem of other container by path
      /host/var/lib/containers/storage/overlay/xxxxxxxxxxxxxxxxxxxxxxxxxxxxx/merged/test_file

      This approach works in k8s clusters and OpenShift 3, but not in OpenShift 4. How can I make the agent pod to get noticed about any new mount which was created on the node and get access to it as well?

      The workaround for that was provided in bug 2065283 (see comment #32 [2]).

       

      4. List any affected packages or components.

      ContainerRuntimeConfig, CRI-O, Node, MCO.

       

      Additional information in this Slack discussion [3].

       

       

      [1] https://docs.openshift.com/container-platform/4.11/post_installation_configuration/machine-configuration-tasks.html#create-a-containerruntimeconfig_post-install-machine-configuration-tasks
      [2] https://bugzilla.redhat.com/show_bug.cgi?id=2065283#c32
      [3] https://coreos.slack.com/archives/CK1AE4ZCK/p1670491480185299

      Attachments

        Issue Links

          is cloned by

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. OCPSTRAT-688 Enable privileged containers to view rootfs of other containers

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed
          is related to

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. OCPNODE-1713 Enable privileged containers to view rootfs of other containers

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. OCPSTRAT-688 Enable privileged containers to view rootfs of other containers

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed
          links to

          Web Link KCS 6991155: Configuring CRI-O via MachineConfig in OCP 4

          Activity

            People

              gausingh@redhat.com Gaurav Singh
              oarribas@redhat.com Oscar Arribas Arribas
              Votes:
              0 Vote for this issue
              Watchers:
              12 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: