-
Notifications
You must be signed in to change notification settings - Fork 505
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kubeadm debian package v1.25.6 fails against v1alpha2 API CRI due to dependency on cri-tools >= 1.26.0 #2866
Comments
TLDR: kubeadm v1.25.6's package requires a newer cri-tools, which increases the CRI apiVersion requirement to v1, from v1alpha2 with kubeadm v1.25.5. |
/transfer release this is a package management issue. @afbjorklund i believe you investigated similar issues recently? |
Yes, the new kubeadm can only be used with the new container runtimes. It does not support containerd 1.5 or cri-dockerd 0.2 (or dockershim). So the depends are wrong |
The upgrade of CNI is also doubtful, for a maintenance release... Haven't checked yet if the 1.2.0 packages are also mispackaged, like 1.0/1.1 were EDIT: No, it looks OK: anders@lima-k8s:~$ apt list | grep kubernetes-xenial
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
cri-tools/kubernetes-xenial,now 1.26.0-00 amd64 [installed]
docker-engine/kubernetes-xenial 1.11.2-0~xenial amd64
kubeadm/kubernetes-xenial,now 1.26.1-00 amd64 [installed]
kubectl/kubernetes-xenial,now 1.26.1-00 amd64 [installed]
kubelet/kubernetes-xenial,now 1.26.1-00 amd64 [installed]
kubernetes-cni/kubernetes-xenial,now 1.2.0-00 amd64 [installed]
rkt/kubernetes-xenial 1.29.0-1 amd64
anders@lima-k8s:~$ crictl --version
crictl version v1.26.0
anders@lima-k8s:~$ /opt/cni/bin/portmap --version
CNI portmap plugin v1.2.0
CNI protocol versions supported: 0.1.0, 0.2.0, 0.3.0, 0.3.1, 0.4.0, 1.0.0
anders@lima-k8s:~$ /opt/cni/bin/flannel --version
CNI Plugin flannel version v1.1.0 (linux/amd64) commit 6e8bb113 built on 2022-05-20T12:20:06Z
CNI protocol versions supported: 0.1.0, 0.2.0, 0.3.0, 0.3.1, 0.4.0, 1.0.0
anders@lima-k8s:~$ containerd --version
containerd github.com/containerd/containerd v1.6.12 a05d175400b1145e5e6a735a6710579d181e7fb0
anders@lima-k8s:~$ sudo crictl version
Version: 0.1.0
RuntimeName: containerd
RuntimeVersion: v1.6.12
RuntimeApiVersion: v1 |
This is also a breaking change for minikube, so need to bundle CRI and CNI with k8s instead of with the OS I haven't yet figured out the best way to get which versions to install, but maybe it needs a mapping table ? One can extract it from the debs, but I think it lives in the release documents somewhere.
Still need to figure out which release version to use. kubernetes/release packages/rpm/kubelet.spec It seems hardcoded in the docs: https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ RELEASE_VERSION="v0.4.0"
curl -sSL "https://raw.githubusercontent.com/kubernetes/release/${RELEASE_VERSION}/cmd/kubepkg/templates/latest/deb/kubelet/lib/systemd/system/kubelet.service" | sed "s:/usr/bin:${DOWNLOAD_DIR}:g" | sudo tee /etc/systemd/system/kubelet.service
sudo mkdir -p /etc/systemd/system/kubelet.service.d
curl -sSL "https://raw.githubusercontent.com/kubernetes/release/${RELEASE_VERSION}/cmd/kubepkg/templates/latest/deb/kubeadm/10-kubeadm.conf" | sed "s:/usr/bin:${DOWNLOAD_DIR}:g" | sudo tee /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
|
i think this is due to the old problem where package updates land on all minor releases. i know one discussed fix was complicated - separate package repositories per minor. |
The package updates are fine, they are pinned anyway so requires picking a version to install. anders@lima-k8s:~$ apt-mark showhold
kubeadm
kubectl
kubelet Having to select the minor version of the repo is annoying, like how it is being done in cri-o. These are the actual dependencies inside the debs, that has been bumped for the older too.
Since it is no longer backwards compatible, it needs to be forked and updated separately... |
Beyond kubeadm=1.25.6-00, it is also in kubeadm=1.24.10-00 and kubeadm=1.23.16-00 |
I was going to report this, but found this issue. I think this affects all package-based new installations of kubeadm <= 1.26.0, because the cri-tools version has only a lower bound, as shown in the table above. (Also see the kubeadm.rpmspec). Is it fair to assume that kubeadm <= 1.26.0 is guaranteed, until at least its end-of-life, to work with CRI v1alpha2? For argument's sake, I'll say yes. Then, since kubeadm requires cri-tools, kubeadm cannot depend on cri-tools v1.26..0. Therefore, the fix is to add an upper bound to the cri-tools dependency for all kubeadm <= 1.26.0 packages that are still under support. It is, in theory, possible to release new RPM and DEB packages for older versions of kubeadm by incrementing the release and revision, respectively. (I'm not sure how that's could be done in this repository, because I only see a single branch. I would expect to modify the RPM and DEB metadata in release branches.) |
I think that is the real missing feature here. The current depends is an ongoing patchwork: I'm not really sure why kubeadm requires cri-tools, and we had some package conflicts with kubernetes-cni But I think the latest update should be reverted meanwhile, so that it can stay on the 1.25.0 and 1.1.1 "for a while". It needs then to be configured/pinned by the user, but that's not worse than the rest of the OOTB failures.
You can still install the new versions of the packages, if you are running with a newer container runtime. |
@mohag if you ever want to upgrade Kubernetes 1.26 (and up), which requires CRI v1 to be used: Then you need to change, from ubuntu's containerd.io/focal 1.6.15-1 amd64 [residual-config] The only thing to watch out for, is that the Docker packaging disables the CRI plugin by default...
This is because CRI talks to cri-dockerd, so there is no reason for cri-containerd to be enabled (with Docker) This is documented upstream, but can be an issue when upgrading. Should be OK again with Ubuntu 24.04 ? https://kubernetes.io/docs/setup/production-environment/container-runtimes/#containerd
|
This issue probably needs fixing, before automating the updates in the future: |
Exactly, I think we can solve this with the new packaging approach (kubernetes/enhancements#3750), but we may require an intermediate fix as well. |
That is mainly why we are testing 1.25 for now. They might update containerd. I'm also thinking adding a CRI-O role to our Ansible deployment as an option might be useful... (It also ensures that we don't get too used to one container runtime...)
That is useful to know, thanks. |
kubeadm calls the
Given the number of installations this impacts, I agree. IIUC, anyone that provisions Kubernetes <= 1.26.0 using our packages, and your container runtime does not expose the CRI v1 API, e.g., containerd <= 1.6.0. I suspect this describes many production clusters. |
But it could have been an "external" dependency, since it is checked during the preflight phase ? The versions also seemed to be totally arbitrary, so maybe it could have been left at the names ? |
Is this a BUG REPORT or FEATURE REQUEST?
BUG REPORT
Versions
kubeadm version (use
kubeadm version
):kubeadm version: &version.Info{Major:"1", Minor:"25", GitVersion:"v1.25.6", GitCommit:"ff2c119726cc1f8926fb0585c74b25921e866a28", GitTreeState:"clean", BuildDate:"2023-01-18T19:20:37Z", GoVersion:"go1.19.5", Compiler:"gc", Platform:"linux/amd64"}
Environment:
kubectl version
): Client Version: version.Info{Major:"1", Minor:"25", GitVersion:"v1.25.6", GitCommit:"ff2c119726cc1f8926fb0585c74b25921e866a28", GitTreeState:"clean", BuildDate:"2023-01-18T19:22:09Z", GoVersion:"go1.19.5", Compiler:"gc", Platform:"linux/amd64"}uname -a
): Linux master-test-cluster.iotnxt.io 5.15.0-58-generic #-64-Ubuntu SMP Thu Jan 5 11:43:13 UTC 2023 x86_64 x86_64 x86_64 GNU/LinuxWhat happened?
When attempting to run
kubeadm config images pull
it fails compaining that the CRI runtime does not support the v1 API.What you expected to happen?
A runtime supporting CRI apiVersion v1alpha2 should work, as documented here
How to reproduce it (as minimally and precisely as possible)?
On a Debian environment (Ubuntu 22.04 will work)
Configure the Kubernetes APT repo.
Install containerd 1.5.x
Set up pins in
/etc/apt/preferences.d/kubeadm
for kubeadm and cri-tools on1.25.*
(kubeadm v1.25.6 will fail with this, see above, so the pin for cri-tools might need to be removed to reproduce the error)With the pins, attempt to install kubeadm (it will fail complaining that it depends on >= v1.26. If the pin is removed, it will install, but fail to communicate with containerd v1.5.9)
More minimal for the underlying issue:
On ubuntu 22.04:
Check dependencies for kubeadm v1.25.5 and v1.25.6 with
apt show
. Install the cri-tools version that it depends on.Install containerd 1.5.9 (that is the default one from the OS repo)
Run
crictl -r unix:///run/containerd/containerd.sock version
.For cri-tools v1.26.0 (depended on by kubeadm v1.25.6):
For cri-tools v1.25.0 (which is within kubeadm v1.25.5's dependencies, but not v1.25.6's)
Note that it works when the cri-tools version that v1.25.5 depends on is installed, but fails if the version that v1.25.6 depends on is installed.
Anything else we need to know?
v1.25.5 worked correctly - cri-tools v1.25.x could be installed and with that installed the pull works.
The version of cri-tools depended on by v1.25.6 (>= 1.26.0) differs from that of v1.25.5 (>= 1.25.0).
The text was updated successfully, but these errors were encountered: