sandbox: Move CRI Image Service and CRI Base seperate plugins

[abel-von]

This PR cherry-picked the #9119 and split the CRI plugin into plugins below:

1. the io.containerd.internal.v1.cri plugin is for loading cri configuration and validation
2. the io.containerd.image.v1.cri-image-service plugin is a image service to create/pull/remove/query images.
3. the io.containerd.sandbox.controller.v1.podsandbox the a sandbox controller implement that create a pause container to mimic a sandbox, it is a legacy support.
4. the io.containerd.grpc.v1.cri-grpc-service is the CRI grpc service plugin, to serve grpc API calls of CRI interfaces.

[k8s-ci-robot]

Hi @abel-von. Thanks for your PR.

I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[abel-von]

PTAL @mxpv @fuweid @dmcgowan

[fuweid]

All the integration test cases fail. I think there is regression caused by 09723a6

[abel-von]

I think it is not caused by 09723a6. It is actually because we changed the cri plugin type from io.containerd.grpc.v1 to io.containerd.internal.v1 so that the RootDir and StateDir in Config changed.
Recently we init the Config in the code below

	c := criconfig.Config{
		PluginConfig:       *pluginConfig,
		ContainerdRootDir:  filepath.Dir(ic.Properties[plugins.PropertyRootDir]),
		ContainerdEndpoint: ic.Properties[plugins.PropertyGRPCAddress],
		RootDir:            ic.Properties[plugins.PropertyRootDir],
		StateDir:           ic.Properties[plugins.PropertyStateDir],
	}

I think we may have to keep the RootDir and StateDir io.containerd.grpc.v1.cri, or we migrate cri root dirs and state dirs to the new path, but we can not simply rename them to the new path because some paths such as io fifos are stored in the db.
@fuweid

[abel-von]

I think the CRI integration test passed, one of them failed because an occasional failure of the container registry. could you please rerun it to make sure all CI steps green? @fuweid

[fuweid]

could you just keep it as cri? It's unlikely to do live-migration because the running containers are using the volume in this plugin folder.

[fuweid]

We probably need to add some release upgrade integration cases for this before we accept this.

REF:

containerd/integration/release_upgrade_linux_test.go

Line 52 in 6ed8f01

// Add exec/stats/stop-existing-running-pods/...

[abel-von]

could you just keep it as cri? It's unlikely to do live-migration because the running containers are using the volume in this plugin folder.

That is actually why the intergration test failed before. So that I add a commit 9a18e8e to keep the plugin folder path "io.containerd.grpc.v1.cri" as before.

I think it is no use to change the name here because we want to add a plugin of type io.containerd.internal.v1 to carry the cri configs and other plugins will be depend on this plugin to get the cri configs.

[abel-von]

We probably need to add some release upgrade integration cases for this before we accept this.

added a test case to manipulate the containers in the pod before upgrade. 0597be4849

[abel-von]

The added integration test case reveals an existing compatibility issues, and I fixed in e18e86905b3071, all these are included in this PR, could you please take a look at the new commits ?

or, as Max has approved, shall I put the two new commits in a new PR? @mxpv @fuweid

[fuweid]

I think we don't need to rename it cri-grp-service. Just use cri because it's grpc plugin. It won't conflict with internal one.

[mikebrow]

looking good .. yes, suggest splitting up the test and fix (last two commits) into another PR .. tag that PR for cherry pick..

[abel-von]

the integration test codes is splited into the new PR #9434

please take a look @mikebrow @fuweid

[fuweid]

Basically, it looks good to me

[fuweid]

I think we don't need to rename it cri-grp-service. Just use cri because it's grpc plugin. It won't conflict with internal one.

[fuweid]

I think it's not a long-term solution. We should introduce some toggle to switch to use cri.base root or state dir in the future.

[abel-von]

I think it's not a long-term solution. We should introduce some toggle to switch to use cri.base root or state dir in the future.

we may have to record the root and state dir in the sandbox object in cri cache, when recovering from restart, we need to detect if it is "io.containerd.internal.v1.cri" or "io.containerd.grpc.v1.cri", but this is a big change, can we leave it in another PR?

[abel-von]

I think we don't need to rename it cri-grp-service. Just use cri because it's grpc plugin. It won't conflict with internal one.

changed back to "cri"

[fuweid]

we may have to record the root and state dir in the sandbox object in cri cache, when recovering from restart, we need to detect if it is "io.containerd.internal.v1.cri" or "io.containerd.grpc.v1.cri", but this is a big change, can we leave it in another PR?

Yes. We can handle it in the follow-up. I am not against to introduce fallback logic to handle existing running pods. 😂

[fuweid]

LGTM