Pass the label of docker container to the annotation of OCI runtime spec

[miaoyq]

Signed-off-by: Yanqiang Miao miao.yanqiang@zte.com.cn

- What I did
Currectly, docker save the label data in container struct of docker, but not in config.json defined by OCI.
This pr pass the label of docker container to the annotation of OCI runtime spec, so that the label data which is set by kubernetes can be used by the VM-based runtime (like clear-containers) .
For example:

	containerTypeLabelKey       = "io.kubernetes.docker.type"
	containerTypeLabelSandbox   = "podsandbox"
	containerTypeLabelContainer = "container"
	containerLogPathLabelKey    = "io.kubernetes.container.logpath"
	sandboxIDLabelKey           = "io.kubernetes.sandbox.id"

/cc @sameo @plutoinmii

- How I did it

- How to verify it

- Description for the changelog

- A picture of a cute animal (not mandatory but encouraged)

[AkihiroSuda]

Is s.Annotations guaranteed to be empty here?

Even if so, I think the code should be as follows:

for k, v := range c.Config.Labels{
  vv, ok := s.Annotations[k]
  if ok {
    return nil, errors.Errorf("label %q conflicts, old=%q, new=%q", vv, v)
  }
  s.Annotations[k] = v
}

[miaoyq]

@AkihiroSuda Thanks, will do.

[miaoyq]

@AkihiroSuda If a key already exists in s.Annotations we could print a warning msg instead of return directly, wdyt?

[AkihiroSuda]

I think ok.

[miaoyq]

Done.

[AkihiroSuda]

: -> =?

[miaoyq]

Done.

[thaJeztah]

nit: oldValue and ok are only used inside the if, so;

if oldValue, ok := s.Annotations[k]; ok {
    logrus.Warningf("Key %q already exists in Annotations, old value=%q, new value=%q", k, oldValue, v)
    continue
}

The warning should also mention that we're ignoring the new value

I'm not sure what would be best though:

• under what situations would an existing label exist in the annotations?
• if an existing annotation is there, is it correct to ignore the new value (even with a warning)? Or should it produce an error; instructing the user to correct the conflicting option?

In general, I'm in favour of being strict, and error out. If at some point in future we think it's ok to change an error into a warning, we can do so without breaking backward compatibility, whereas the opposite is not possible.

ping @mlaventure @cpuguy83 PTAL

[mlaventure]

I'm not sure in which scenario that would happen, but I'd vote to start with an error too,

[miaoyq]

@thaJeztah @mlaventure Makes sense. Will change to error.

[miaoyq]

Done.

[thaJeztah]

oh; meant this to be returning the error (thus "fail");

return nil, errors.Errorf(".......

[miaoyq]

@thaJeztah I thought that this should not terminate the container starting, just give an error message, since the Annotations does not seem to be used directly by docker.
But returning the error is also reasonable here. Have done. :-)

[thaJeztah]

LGTM

@AkihiroSuda PTAL

[thaJeztah]

Actually; one more thought: do labels that are set on a docker container have to be namespaced when passing through? (e.g. a org.moby.label.<label name> prefix)? IOW; is there a need to distinguish labels from other kind of annotations?

[miaoyq]

Is there a need to distinguish labels from other kind of annotations?

@thaJeztah I think we should keep it as it is, make sure OCI runtime can get the data that has not be changed.
Containerd also doesn't care the Annotations as far as I know. :-)

[justincormack]

I really don't like just passing all labels through, people use labels for all sorts of things, and these may not be intended to be passed on.

Also the OCI spec says "Keys SHOULD be named using a reverse domain notation - e.g. com.example.myKey." and "Keys using the org.opencontainers namespace are reserved and MUST NOT be used by subsequent specifications." so I think just adding arbitrary labels is not the intended use case.

(containerd also has annotations, but I don't think we want to expose those either necessrily).

this needs more discussion

[miaoyq]

@justincormack Could we filter the labels whose key format like io.kubernetes.docker.type and copy them into annotations fields?

[WeiZhang555]

I think this feature can be useful, currently there's no way to pass Annotations into OCI runtime from docker, though OCI spec defines Annotations field.

How about we make some rules, for example, if the label key string starts with "annotation.", we pass it to runtime annotation, otherwise we do nothing.

1. label "annotation.io.kubernetes.docker.type=container", then we pass an Annotation["io.kubernetes.docker.type"]=container
2. label "io.docker.xxx=xxx", we do NOT pass it to OCI runtime.

[miaoyq]

Any conclusion for this feature?
Docker still the main and default container runtime engine for k8s so far, so I think this feature is very useful for the people of using secure containers. :-)
@thaJeztah @justincormack

[cpuguy83]

What about just a list of label keys as an allow-list for what gets passed to the runtime?

[olljanat]

@miaoyq this one needs to be rebased

[GordonTheTurtle]

Please sign your commits following these rules:
https://github.com/moby/moby/blob/master/CONTRIBUTING.md#sign-your-work
The easiest way to do this is to amend the last commit:

$ git clone -b "label-to-oci-spec-annotation" git@github.com:miaoyq/docker.git somewhere
$ cd somewhere
$ git rebase -i HEAD~842354427496
editor opens
change each 'pick' to 'edit'
save the file and quit
$ git commit --amend -s --no-edit
$ git rebase --continue # and repeat the amend for each commit
$ git push -f

Amending updates the existing PR. You DO NOT need to open a new one.

[codecov]

Codecov Report

❗ No coverage uploaded for pull request base (master@d147fe0). Click here to learn what that means.
The diff coverage is 33.33%.

@@            Coverage Diff            @@
##             master   #36181   +/-   ##
=========================================
  Coverage          ?   36.56%           
=========================================
  Files             ?      608           
  Lines             ?    45042           
  Branches          ?        0           
=========================================
  Hits              ?    16470           
  Misses            ?    26293           
  Partials          ?     2279

[thaJeztah]

Implemented (but slightly different) in #45025