squeed

Background:

Allocating two new identities and updating the policy engine can take too long, tripping a circuit-breaker (100ms) and returning a DNS message early to the endpoint.

I have an excerpt from an agent log that shows this. The summary:

• 29.960481392Z: ipcache starts
• 29.964383980Z: allocation complete, update policy engine
• 29.987019603Z: policy engine update complete, waiting for Envoy to update

squeed

// SPDX-License-Identifier: Apache-2.0
//
// Override sysconf CPU count detection. Why? Because cgroups exist. A process
// running on a 256-core machine, but with 2 cores of CPU granted, should not start
// 256 worker threads. I'm looking at you, gRPC.
//
// If you wanted, you could parse the cgroup knobs automatically.
//
// compile with
// gcc -shared -fPIC -Wall -Wextra -Werror numcpu_override.c -o numcpu_override.so -ldl

squeed

package main

import (
	"context"
	"fmt"
	"os"
	"path"

	corev1 "k8s.io/api/core/v1"
	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"

squeed

#!/usr/bin/env bash
# usage
# cd contrib; ./kind-podman.sh -ep 'sudo podman' -kb 'sudo kind' -gm shared

# Returns the full directory name of the script
DIR="$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"

run_kubectl() {
  local retries=0
  local attempts=10

squeed

CNI v0.8.0

This is a major release of the CNI plugins. It includes

• support for CNI spec v0.4.0, which adds CHECK support
• 6 new plugins

CHECK support enables container runtimes to validate that a container's network is still up and functioning properly. All of the official CNI plugins support CHECK.

New plugins:

• bandwidth - limit incoming and outgoing bandwidth (#96), (#138).
• firewall - add containers to firewall rules (#290).

squeed

Likes

1. Reasonably sophisticated dependency tree

Hates

1. Child issues are poorly integrated:
   1. An "epic" does not transitively apply to all child issues, even though child issues cannot have epics
   2. the "sidebar" view (e.g. Sprint) doesn't show parent issues at all
   3. Blocked children are not exposed in the parent issue - blocking is not transitive.
2. The interface is limited:

squeed

diff --git a/test/e2e_node/image_list.go b/test/e2e_node/image_list.go
index d87530e..581b2c0 100644
--- a/test/e2e_node/image_list.go
+++ b/test/e2e_node/image_list.go
@@ -60,6 +60,7 @@ func PrePullAllImages() error {
                return err
        }
        images := framework.ImageWhiteList.List()
+
        glog.V(4).Infof("Pre-pulling images %+v", images)

squeed

CNI plugin chaining proposals

Motivation

CNI does not currently have a defined way to chain plugins. There is implicit chaning via the IPAM mechanism, where it is assumed that the top-level plugin (e.g. macvlan) will find and execute an IPAM plugin, but this is not made more generic.

Motivating examples

Flannel

The flannel plugin is runtime-interface-agnostic. It accepts an interface configuration, modifies it based on runtime flannel state, and passes this to the desired "real" plugin.

tuning

squeed

CRI QUESTIONS

This references the api spec and the high level description.

It should be noted that the high-level description is somewhat out of date. There are now only two services: RuntimeService and ImageService

1. How are PodSandboxes mutated?
2. Why does CreateContainerRequest also allow a PodSandboxConfig? Is this the preferred way to mutate a PodSandbox? What about cases where the sandbox is mutated outside of container creation?