Clarification regarding versioning of cri-tools

erihanse commented 3 years ago

Sorry if this should've been posted in https://github.com/kubernetes-sigs/cri-tools instead, but I'll start with asking this question here.

What happened:

When I try to install kubernetes with kubeadm >1.16.x, I see cri-tools >= 1.13.0 listed as a dependency:

[deploy@demoworker1test ~]$ yum deplist kubeadm --disableexcludes=kubernetes
Loaded plugins: fastestmirror, product-id, search-disabled-repos, subscription-manager, versionlock
Loading mirror speeds from cached hostfile
 * base: mirror.nsc.liu.se
 * extras: mirror.nsc.liu.se
 * updates: mirror.nsc.liu.se
Excluding 7 updates due to versionlock (use "yum versionlock status" to show them)
package: kubeadm.x86_64 1.16.15-0
  dependency: cri-tools >= 1.13.0
   provider: cri-tools.x86_64 1.13.0-0
  dependency: kubectl >= 1.13.0
   provider: kubectl.x86_64 1.16.15-0
  dependency: kubelet >= 1.13.0
   provider: kubelet.x86_64 1.16.15-0
  dependency: kubernetes-cni >= 0.8.6
   provider: kubernetes-cni.x86_64 0.8.7-0

However, under https://github.com/kubernetes-sigs/cri-tools#current-status a compatibility matrix is listed, suggesting that Kubernetes Version >= 1.16.x has a dependency of cri-tools >= 1.16.x.

What you expected to happen:

Compatibility matrix in https://github.com/kubernetes-sigs/cri-tools#current-status is reflected in yum. For instance, cri-tools >= 1.16.x is required for Kubernetes 1.16.x. Since cri-tools is listed here: https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/kubelet-integration/#kubernetes-binaries-and-package-contents, we can assume that cri-tools is set up the right way along with kubeadm when installed with deb/rpm packages.

How to reproduce it (as minimally and precisely as possible):

Run

$ yum deplist kubeadm-1.16.15 --disableexcludes=kubernetes

Observe that minimum requirements are not comparable with the compatibility matrix of cri-tools.

Anything else we need to know?:

Another question: Why aren't newer deb/rpm packages for cri-tools > 1.13 released?
Also: not a big deal, but the link to cri-tools under https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/kubelet-integration/#kubernetes-binaries-and-package-contents seems to point to the old repo: https://github.com/kubernetes-incubator/cri-tools instead of https://github.com/kubernetes-sigs/cri-tools.

Environment:

Cloud provider or hardware configuration: on-prem
OS (e.g: cat /etc/os-release): Centos 7.8
Kernel (e.g. uname -a): 3.10.0-1127.19.1.el7.x86_64

Thanks!

neolit123 commented 3 years ago

This was reported to me the other day, but i didn't have time to look. The person reporting saw compat issues between crictl and containerd too. In general we should be attaching the latest cri-tools to the latest version of k8s.

justaugustus commented 3 years ago

/assign @saschagrunert cc: @kubernetes/release-engineering /milestone v1.20

saschagrunert commented 3 years ago

Yes, right now we're not building DEB/RPM packages for cri-tools any more, because we just provide statically linked binaries for most hosts. I think kubepkg can/should take care of that, but this is more of a long-term effort.

MarkusTeufelberger commented 3 years ago

The most "recent" version of cri-tools that's available on https://packages.cloud.google.com/apt/dists/kubernetes-xenial/main/binary-amd64/Packages is actually (still) 1.13.0-01.

However, the kubeadm package even in the most recent version (1.19.4) depends on this cri-tools package, so it would be nice to get some update there. After all, there has been some development over there in the past 2 years (https://github.com/kubernetes-sigs/cri-tools/releases).

neolit123 commented 3 years ago

i think it may be time to decouple our other packages from depending on cri-tools and make applications (like kubeadm) just fail at runtime with good error messages, but this may cause the same issues we saw earlier if we apply a change to packages across all PATCH releases.

saschagrunert commented 3 years ago

i think it may be time to decouple our other packages from depending on cri-tools and make applications (like kubeadm) just fail at runtime with good error messages, but this may cause the same issues we saw earlier if we apply a change to packages across all PATCH releases.

Hey @neolit123 are you actively working on this topic? Do you need anything from us to achieve the goal?

neolit123 commented 3 years ago

@saschagrunert

are you actively working on this topic?

no, because it's tricky.

Do you need anything from us to achieve the goal?

yes:

the specs for kubelet and kubeadm must be versioned with the components they originate from: see https://github.com/kubernetes/kubernetes/issues/88832
the cri-tools package should be removed in the latest MINOR version only. e need to stop pushing package changes to all PATCH releases in the MINOR skew. currently if one removes https://github.com/kubernetes/release/blob/b51adb224954dc7e16d1ed9bda2e4b48cdf0d885/packages/rpm/kubelet.spec#L75 it will be pushed to all PATCH versions.

fejta-bot commented 3 years ago

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale

fejta-bot commented 3 years ago

Stale issues rot after 30d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten

MarkusTeufelberger commented 3 years ago

/remove-lifecycle rotten

To please our robot overlords

saschagrunert commented 3 years ago

@MarkusTeufelberger this topic is no priority for SIG Release right now, hence we did not start working on it due to other ongoing topics. May I ask you if you wanna work on this topic?

MarkusTeufelberger commented 3 years ago

So SIG release does not package the tools from SIG node since December 2018 but that's not a priority? I mean I can try to take a look, but I don't even know where to start looking: cri-tools doesn't seem to have any deb/rpm builds in its repository, kubepkg is written in go, not a language I'm very familiar with and I have no idea where and how this kubepkg ultimately gets called in various CI pipelines. I was hoping it would be enough to change a 1.13.0 somewhere to a 1.21.0, but apparently it is somehow more involved than that.

BenTheElder commented 3 years ago

AFAIK packages are actually still built with some shell scripts

https://github.com/kubernetes/release/tree/master/hack/rapture -> https://github.com/kubernetes/release/blob/eff40a556b1f7ec298a7f376588bd8c4a16d0cf2/hack/rapture/k8s-rapture.sh#L178 https://github.com/kubernetes/release/blob/eff40a556b1f7ec298a7f376588bd8c4a16d0cf2/hack/rapture/k8s-rapture.sh#L123

-> https://github.com/kubernetes/release/blob/master/packages/rpm/docker-build.sh https://github.com/kubernetes/release/blob/master/packages/deb/jenkins.sh

however since this is essentially not versioned with kubernetes, it's tricky to safely fix this. https://github.com/kubernetes/release/issues/1913

k8s-triage-robot commented 2 years ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue or PR as fresh with /remove-lifecycle stale
Mark this issue or PR as rotten with /lifecycle rotten
Close this issue or PR with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot commented 2 years ago

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue or PR as fresh with /remove-lifecycle rotten
Close this issue or PR with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

MarkusTeufelberger commented 2 years ago

Still an issue, cri-tools is still ancient in the official debian repositories (https://packages.cloud.google.com/apt/dists/kubernetes-xenial/main/binary-amd64/Packages) and cri-tools does still not release alternative current deb packages (https://github.com/kubernetes-sigs/cri-tools/releases).

I still can't use proper zsh shell completion to this day because of this... support for that was merged 2 and a half years ago.

/remove-lifecycle rotten

rpardini commented 2 years ago

Indeed. Worse: the kubeadm package hard Depends: [...] cri-tools (>= 1.13.0) which makes deploying recent cri-tools releases from source/binary to /usr/bin/crictl a pain, especially during upgrades.

MarkusTeufelberger commented 2 years ago

A 1.22.0 release would fulfill this dependency too, what exactly is the issue there?

rpardini commented 2 years ago

The real issue is carrying outdated cri-tools: 1.22.0 last release, 1.17.0 in the "Without a package manager" instructions, and 1.13.0 in the official repo. (The issue I mentioned arises when trying to use updated crictl from a different package, but it is indeed a very specific problem, and could be handled via Conflicts/Replaces/Provides)

justaugustus commented 2 years ago

Starting some updates to the package specs here: https://github.com/kubernetes/release/pull/2295

k8s-triage-robot commented 2 years ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue or PR as fresh with /remove-lifecycle stale
Mark this issue or PR as rotten with /lifecycle rotten
Close this issue or PR with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot commented 2 years ago

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue or PR as fresh with /remove-lifecycle rotten
Close this issue or PR with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

MarkusTeufelberger commented 2 years ago

Still ongoing.

/remove-lifecycle rotten

k8s-triage-robot commented 2 years ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue or PR as fresh with /remove-lifecycle stale
Mark this issue or PR as rotten with /lifecycle rotten
Close this issue or PR with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot commented 1 year ago

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue or PR as fresh with /remove-lifecycle rotten
Close this issue or PR with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

MarkusTeufelberger commented 1 year ago

I think I saw a package for a more recent version of cri-tools in the debian repo, so maybe this has been dealt with?

/remove-lifecycle rotten

saschagrunert commented 1 year ago

I agree I think we're done with respect to the scope of this issue.

kubernetes / release