feat(helm): move dind to sidecar #3842
Conversation
velkovb
requested review from
mumoshu,
toast-gear,
rentziass and
a team
as code owners
|
I think this may fix an issue i'm seeing sometimes with our runners. In some jobs, we were seeing this error message in the "Initialize Containers" workflow step:
|
@chadxz This exactly the issue we were seeing and it helped us fix it. |
|
I tried using this but realized it conflicts with my manual dind setup in values.yaml. However I was able to move my dind container from “containers” to “initContainers” and set ‘restartPolicy: Always’ to replicate this behavior. worked! |
Probably the case for most people. It is in the custom dind for us as well but I believe it should be the default option actually |
Hi @chadxz, seeing the same problem and really curious on how you were able to do this? From my understanding, Init containers have to run completion before the main containers are started. How do you make sure that the daemon is still running by the time we get to the main runner container? Update: I see that adding the restart policy to always makes it a sidecar container which means it stays running |
|
@saienduri as you found, the restart policy is the trick |
|
@chadxz @velkovb I'm having this issue intermittently in the "Initialize Containers" workflow step. I've done what you're suggesting, but it didn't solve it. I'm using Kubernetes 1.30. In case I'm missing something, that's the |
|
Is there any chance for this to be reviewed? @nikola-jokic |
|
Bump |
|
Hey @velkovb, Can you please fix the test as well? |
|
@nikola-jokic Thanks for bringing it up. I didn't realise there were tests. Ran tests locally and they pass now. |
|
We've been struggling with this |
|
Hey @elocke, You can use these changes before we issue the next release by not using our official chart, but the local one with the changes you need. |
|
Gave it a shot, unfortunately AWS EKS does not support Sidecar initcontainers yet :/ Thanks for your work! |
|
@elocke we are on EKS and that works just fine. You should be above 1.29 for it to work. |
Very interesting, we're on 1.32 and AWS support told me it's not supported. restartPolicy in the initcontainer is dropped from the live manifest Even this test doesn't work for me: apiVersion: v1
kind: Pod
metadata:
name: sidecar-test-behavior
labels:
admission.datadoghq.com/enabled: "false"
spec:
initContainers:
- name: sidecar-init
image: docker:dind
args: ["dockerd", "--host=unix:///var/run/docker.sock"]
securityContext:
privileged: true
restartPolicy: Always
volumeMounts:
- name: sock
mountPath: /var/run
containers:
- name: main
image: busybox:1.28
command: ["sleep", "300"]
volumeMounts:
- name: sock
mountPath: /var/run
volumes:
- name: sock
emptyDir: {}EDIT: figured it out, it was an old mutatingwebhook that was pulling it out. Thanks again. However, we're seeing this error of |
|
Just noticed this change in the release notes. Why in the world are you assuming that dockerd do not need to handle SIGTERM gracefully? How did you test that theory and what proof do you have? |
|
edit, nevermind |
|
Hi, i have issues running dind-rootless. can you update the official documentation how to run rootless ARC? |
|
Hi, I wanted to ask if For example, Ken Muse describes an approach where the Would love to hear your thoughts or experiences on whether Thanks! |
Run
dindcontainer as a SidecarCurrently, in
dindmode we run 2 containers in the pod. This results in them having their own lifecycles. In the case ofdindthis could lead to issues as the process in therunnercontainer depend on the docker socket from thedindcontainer. We hit that multiple times were we wanted to wait for jobs to complete and the runner container stays alive as we handle the SIGTERM manually butdinddies and the jo fails. When running as a Sidecar containerdindstays alive as long as the pod is alive and we don't need to do custom SIGTERM handling there.Since 1.29 Sidecars are enabled by default so this PR moves the
dindcontainer as a Sidecar if the version is above 1.29.