runwasi icon indicating copy to clipboard operation
runwasi copied to clipboard
verified publisher icon containerd

Support V3 containerd task service and Sandboxers

Open cpuguy83 opened this issue 2 years ago • 9 comments

In containerd 1.7 the v3 task service was introduced. In v3 both ttrpc and grpc are supported, choosing what RPC to use should definitely take into account memory overhead.

There's no real rush here, but V3 does buy us some simplified logic in bootstrapping the shim and support for "sandboxer" services.

"Sandboxer" can do a number of things, the immediate benefit is we don't have to have this logic that guesses that the first container sent to the shim (with a cri label) is actually the "pause" container. Instead it leaves that implementation detail up to the sandboxer. It would also make the "shared" mode as described in our readme a first class citizen.

Related:

  • https://github.com/containerd/containerd/pull/9233
  • https://github.com/containerd/containerd/pull/6703
  • https://github.com/containerd/containerd/pull/8268
  • https://github.com/containerd/containerd/pull/7228

cpuguy83 avatar Nov 03 '23 20:11 cpuguy83

Sorry if these are silly questions:

  • Would we gain support for v3 through the containerd-shim crate?
  • Is v3 being backported to older containerd?
  • If not, do we want to keep the v2 code for compatibility with older containerd?
  • Could we remove the special handling for pause container since we support native/linux contianers (what we use for sidecar containers)

jprendes avatar Nov 06 '23 15:11 jprendes

Would we gain support for v3 through the containerd-shim crate?

I think that's where we'd need to focus

Is v3 being backported to older containerd?

No

If not, do we want to keep the v2 code for compatibility with older containerd?

Yep

Could we remove the special handling for pause container since we support native/linux contianers (what we use for sidecar containers)

We probably should for compatability sake... but this is going to start getting hairy, I think, with sandboxers. In this case the sandboxer would be responsible for managing the (pod) sandbox.

cpuguy83 avatar Nov 07 '23 21:11 cpuguy83

I believe rust-extensions added the sandbox apis a couple releases ago: https://github.com/containerd/rust-extensions/pull/145

jsturtevant avatar Nov 10 '23 00:11 jsturtevant

Hi, I'm the maintainer of Kuasar, we have forked rust-extesions and made a "sandbox crate" that implements Controller service of containerd/api/services/sandbox/v1/sandbox.proto and provides a scaffold for "sandboxer". I believe this crate can help in your case.

The current origin Sandbox APIs is immature and incomplete, so we are planning to promote our forked containerd. To achive this, we have presented many times on containerd community meeting introduing "sandboxer"(please refer to meeting record) and got approval from many containerd maintainers. There is a tracking issue with v2.0 milestone: https://github.com/containerd/containerd/issues/9431

After this issue, we also expect to push the "sandbox crate" to the origin repo. I think we can contribute together if runwasi plans to support Sandbox API too.

Burning1020 avatar Jan 04 '24 03:01 Burning1020

That would be coolio, @Burning1020 !

squillace avatar Jan 05 '24 09:01 squillace

If I understand this correctly, the issue https://github.com/containerd/containerd/issues/9431 is to track progress for the "sandboxer" APIs, which are different from the sandbox APIs that included in containerd 2.0. Are the sandboxer APIs expected to be included in 2.0 release as well or seperate? Would appreciate some clarifications 🙏 @Burning1020

Mossaka avatar Apr 08 '24 00:04 Mossaka

If I understand this correctly, the issue containerd/containerd#9431 is to track progress for the "sandboxer" APIs, which are different from the sandbox APIs that included in containerd 2.0.

The API is part of it, exactly #9736 and #9903, the others are some code refactoring.

Are the sandboxer APIs expected to be included in 2.0 release as well or seperate?

We all(including containerd maintainers) expect to have sandbox feature released in 2.0 as disscussed in last community meeting, the maintainers are trying best to review while it's heavy workloads. Wolud you guys like to help in review?

Burning1020 avatar Apr 08 '24 01:04 Burning1020

Wolud you guys like to help in review?

I would love to! I think @cpuguy83 is already actively involved in this part, correct me if I am wrong?

Just to clarify, the sandboxer APIs and sandbox APIs are part of the same feature in containerd 2.0, right?

Mossaka avatar Apr 08 '24 01:04 Mossaka

@Mossaka Thank you. They are in the same feature, the sandboxer APIs should also be involved in 2.0 without which the sandbox feature is hard to use.

Burning1020 avatar Apr 08 '24 02:04 Burning1020