-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fedora 39 (CoreOS) cri-o installation issues #7635
Comments
I can inform you that I tried building a CoreOS image where installation from cri-o 1.28.2 tarball skipped installing conmon. The end result was that podman is ok with that - it doesn't report "Error: conmon failed: exit status 1" any more. And cri-o is happy too. k8s on top of cri-o starts-up and all pods are green. So it seems cri-o works with conmon supplied by Fedora rpm package, but podman doesn't work with conmon supplied by cri-o tarball. I wonder why that would be? |
@plevart, thank you for getting in touch, and I am sorry to hear you have issues! To surmise the above:
Would this be correct? I also have a question: why do it this way? Why not use the RPM package? Any issues? |
@kwilczynski ...almost correct. To answer your questions:
As to why not use the RPM package. I tried with RPM package released on the official k8s repo: https://pkgs.k8s.io/addons:/cri-o:/stable:/v1.28/rpm/, but this package looks like it is not meant for Fedora as it includes conflicting files (conmon) and therefore fails to install on top of CoreOS base that already contains rpm package conmon. I can't de-install the conmon package as it is a dependency of many other packages that are part of CoreOS, including vital package rpm-ostree. grep -v cni-plugins < install | grep -Ev 'conmon$' | PREFIX=/usr bash |
Hint: would it be difficult for you to release Fedora rpm(s) in non-modularized repo(s) in addition to modules? The official k8s repositories structure already seems to support that. With one repo per minor release. This would finally enable straightforward installation on CoreOS. Either by package layering or by creating custom CoreOS images. |
hey @plevart we are actually discussing doing just that with Brad Smith from the fedora community. We're working on propopsals for F40 to provide a package for kube, crictl and cri-o using non-modularized packages. |
Here was my workaround, to be able to run both podman and cri-o (OBS) on Fedora 39 (Cloud):
The packages still conflict, just that the fedora binaries are overwritten with the static nix binaries.
And the /etc/containers/policy.json is overwritten with the variant without the RedHat GPG keys... -{
- "default": [
- {
- "type": "insecureAcceptAnything"
- }
- ],
- "transports": {
- "docker": {
- "registry.access.redhat.com": [
- {
- "type": "signedBy",
- "keyType": "GPGKeys",
- "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
- }
- ],
- "registry.redhat.io": [
- {
- "type": "signedBy",
- "keyType": "GPGKeys",
- "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
- }
- ]
- },
- "docker-daemon": {
- "": [
- {
- "type": "insecureAcceptAnything"
- }
- ]
- }
- }
-}
+{ "default": [{ "type": "insecureAcceptAnything" }] }
Afterwards, the package database is a bit sad.
|
If you run conmon with the arguments provided by podman --debug, you will see that the option parsing changed:
|
I've tried giving this a look, and I think it's going to be tricky. we basically have to hardcode the version of conmon, crun, and c/common in the cri-o bundle somehow, so the rpm can read it and set a Another option is we can separate the cri-o rpm from the cri-o-extras (or other name) rpm. A user who has access to their own conmon/crun/common could use those, but one who doesn't could install the cri-o-extras rpm. WDYT @saschagrunert ? |
I thought that is why there were two versions of the It is somewhat unfortunate that the podman conmon (the one in system) installs itself under libexec/crio, And it makes sense, as long as you run the old crio in fedora and not the new crio from kubernetes |
the conmons should be compatible so my hope is you could run either crio in this scheme |
This is blocking OKD 4.16 update to CRI-O 1.29 |
Apparently the new version of conmon (2.1.10) doesn't work for the new version of podman (4.9.2), either.
|
@plevart : did you file any issue with the podman project, regarding this issue ? I can't seem to find it. I found out that the error was due to the |
The latest prerelease packages should be isolated from any system binary because we moved conmon, runc, crun and the policy.json into CRI-O owned files. Can you give those a try? We have no official version release yet with the new changes, though. |
Prerelease works perfectly for OKD, thanks! |
The "podman conmon" is a Fedora RPM package (conmon-2.1.8-2.fc39.x86_64 in my original post) and installs it into But cri-o tarball install can be hacked to not install conmon so the "podman" version can be used with cri-o. This is my current workaround. I encourage future cri-o RPM package in k8s repo to use private version of |
When I explicitly configured the location of the I think it can end up as empty ("") now, due to the possibility of being able to use either of cni or netavark? # Path to the directory where network configuration files are located.
# For the CNI backend the default is "/etc/cni/net.d" as root
# and "$HOME/.config/cni/net.d" as rootless.
# For the netavark backend "/etc/containers/networks" is used as root
# and "$graphroot/networks" as rootless. |
Previously I ended up with an empty string, which caused an off-by-one in the conmon parameters
So it sounds like a bug in Podman. |
Hi, Do you happen to know whether this is also true for a cri-o RPM package published on k8s repos? I will check that myself tomorrow. |
yup it also applies there! |
A friendly reminder that this issue had no activity for 30 days. |
/remove-lifecycle stale |
/assign saschagrunert |
A friendly reminder that this issue had no activity for 30 days. |
What happened?
I have been successfully installing cri-o on top of Fedora CoreOS from the binary tarball(s) published on GitHub. I still do, using a technique called package-layering (https://github.com/coreos/layering-examples). I build a custom CoreOS image from base CoreOS image in the form of an OCI image that additionally contains cri-o and other software to run k8s node.
Recently, I tried to use podman on such a system. It failed with error:
Researching I found that installation of cri-o 1.28.2 from tarball overwrites
/usr/bin/conmon
from the rpm package that is part of the basic CoreOS image: conmon-2.1.8-2.fc39.x86_64. The binary installed from cri-o tarball announces itself as:...while the binary that is part of the conmon-2.1.8-2.fc39.x86_64 package says the following:
They mostly look like the same version, but are they? The binary from the cri-o tarball is much bigger:
...compared to the binary from the Fedora rpm package:
But this is probably because the tarball binary is statically linked and the rpm version is dynamically.
Investigating further I found that cri-o binary tarball might have other conflicts with rpm packages installed on base CoreOS from Fedora repo. What I did was I replaced the binary tarball distribution with a rpm package published on the official k8s repo (https://pkgs.k8s.io/addons:/cri-o:/stable:/v1.28/rpm/). This move revealed the conflict goes deeper. At first it seems that it is only the conmon package, but other Fedora packages installed on base CoreOS depend on conmon package. Transitively this evaluates to the following chain: conmon, containers-common, containers-common-extra, skopeo, podman, toolbox, ... but it doesnt stop there. If I wanted to remove those packages 1st before installing cri-o, I would have to remove a vital CoreOS package rpm-ostree, because it depends on skopeo.
So my question is: "Is it even possible to construct a consistent system without conflicts with a combination of cri-o and Fedora packages that would run on CoreOS?". I noticed that there is a cri-o package in the Fedora 39 updates repo, but it is only version 1.27.2. I need 1.28.x ... I think it would be possible if there was a cri-o packaging that would not include conmon.
What did you expect to happen?
To be able to install cri-o on CoreOS and not introduce conflicts while doing that.
How can we reproduce it (as minimally and precisely as possible)?
Use the followng
Containerfile
:With the followng additional resource
crio.network.conf
:...to build an OCI image. Publish the image to some image registry then use it in the CoreOS to rebase to it:
After rebooting try out the podman command etc. As you can see, the above installation of cri-o is already customized in a way that uses CNI plugins from the preinstalled CoreOS package containernetworking-plugins while skipping the installation of plugins bundled in the tarball. I can see that the tarball installation, among other files, installs also the following two:
Would you recommend that I somehow "skip" the installation of conmon so the CoreOS packagged version would remain intact and then try to use it with the cri-o and see if it works? Maybe even use conmonrs instead?
Anything else we need to know?
No response
CRI-O and Kubernetes version
OS version
Additional environment details (AWS, VirtualBox, physical, etc.)
The text was updated successfully, but these errors were encountered: