Skip to content

OCPNODE-3372: Update defaultRuntime doc to show options and set default to crun #2370

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 10 commits into
base: master
Choose a base branch
from
Open

OCPNODE-3372: Update defaultRuntime doc to show options and set default to crun #2370

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
c3bedd4
OCPNODE-3372: Update defaultRuntime doc to show options available and…
ngopalak-redhat Jun 17, 2025
14c1130
OCPNODE-3372: Add ratcheting validation tests for defaultRuntime
ngopalak-redhat Jun 25, 2025
944efda
OCPNODE-3372: Remove omitempty from defaultRuntime as its handled in MCO
ngopalak-redhat Jun 25, 2025
e6104a2
OCPNODE-3372: Revert omitempty from defaultRuntime. Empty string and …
ngopalak-redhat Jun 26, 2025
011f4ca
OCPNODE-3372: Remove omitempty from defaultRuntime as its handled in …
ngopalak-redhat Jun 27, 2025
1255bfb
OCPNODE-3372: Remove omitempty from defaultRuntime as its handled in …
ngopalak-redhat Jul 2, 2025
a3b721e
OCPNODE-3372: Remove omitempty from defaultRuntime as its handled in …
ngopalak-redhat Jul 2, 2025
d339a49
OCPNODE-3372: Readd omitempty for defaultRuntime as its handled in MC…
ngopalak-redhat Jul 10, 2025
0d729b6
OCPNODE-3372: Readd omitempty for defaultRuntime as its handled in MC…
ngopalak-redhat Jul 10, 2025
01d83a6
OCPNODE-3372: Re-add omitempty for defaultRuntime as its handled in M…
ngopalak-redhat Jul 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
146 changes: 146 additions & 0 deletions ...tests/containerruntimeconfigs.machineconfiguration.openshift.io/DefaultRuntimeConfig.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,146 @@
apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this
name: "ContainerRuntimeConfig"
crdName: containerruntimeconfigs.machineconfiguration.openshift.io
tests:
onCreate:
- name: Should fail if set to empty string
initial: |
apiVersion: machineconfiguration.openshift.io/v1
kind: ContainerRuntimeConfig
spec:
containerRuntimeConfig:
defaultRuntime: ""
expectedError: "spec.containerRuntimeConfig.defaultRuntime: Unsupported value: \"\": supported values: \"crun\", \"runc\""
- name: Should not fail if not set and other fields set
initial: |
apiVersion: machineconfiguration.openshift.io/v1
kind: ContainerRuntimeConfig
spec:
containerRuntimeConfig:
logLevel: info
expected: |
apiVersion: machineconfiguration.openshift.io/v1
kind: ContainerRuntimeConfig
spec:
containerRuntimeConfig:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should defaultRuntime be set to the empty string value here?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@everettraven I've reverted the omitempty removal and kept defaultRuntime as a non-pointer type.

My reasoning is:

  • MCO handles both unset and empty string values for defaultRuntime as a default to crun.
  • Changing it to a pointer would require extensive code changes. May be across MCO and API repos.
  • Keeping omitempty ensures the field is omitted when unset, avoiding a confusing empty string for users.
  • If a user explicitly sets it to an empty string, it will be included in the manifest, which is acceptable as MCO handles it.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MCO handles both unset and empty string values for defaultRuntime as a default to crun.

Without a pointer, MCO cannot tell the difference between unset and the empty string.

Does the empty string mean anything to crun?

Keeping omitempty ensures the field is omitted when unset, avoiding a confusing empty string for users.

This is called discoverability in our APIs. When a controller generates a configuration API object, we try to generate a complete set of fields so that a user can easily see from the object, where there are options they may not have known about (they can discover the new options).

If a user explicitly sets it to an empty string, it will be included in the manifest, which is acceptable as MCO handles it.

But it won't round trip. As soon as a structured client writes the object, the field will be removed from etcd and future reads will not render the "" value. This means that an unstructured apply would never reach a stable state when the controller is responding to the writes from the unstructured client.

Either remove omitempty, or remove "" from the enum of valid values. Removing an enum value is a breaking change btw, so if this is already shipped and the enum already allows "", you should remove omitempty as this is the least breaking change.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @JoelSpeed . I have removed omitempty and updated test cases.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@JoelSpeed can you review? Happy to address any comments you have

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are unstructured calls, unless there's an explicit default, I wouldn't expect the defaultRuntime to be added as part of this test

logLevel: info
- name: Should fail if set to a number
initial: |
apiVersion: machineconfiguration.openshift.io/v1
kind: ContainerRuntimeConfig
spec:
containerRuntimeConfig:
defaultRuntime: 1234
expectedError: "spec.containerRuntimeConfig.defaultRuntime: Invalid value: \"integer\": spec.containerRuntimeConfig.defaultRuntime in body must be of type string: \"integer\", spec.containerRuntimeConfig.defaultRuntime: Unsupported value: 1234: supported values: \"crun\", \"runc\""
- name: Should fail if set to a blank string
initial: |
apiVersion: machineconfiguration.openshift.io/v1
kind: ContainerRuntimeConfig
spec:
containerRuntimeConfig:
defaultRuntime: " "
expectedError: "Unsupported value: \" \": supported values: \"crun\", \"runc\""
- name: Should fail if invalid ContainerRuntimeConfig is provided
initial: |
apiVersion: machineconfiguration.openshift.io/v1
kind: ContainerRuntimeConfig
spec:
containerRuntimeConfig:
defaultRuntime: docker
expectedError: "Unsupported value: \"docker\": supported values: \"crun\", \"runc\""
- name: Should be able to set crun in ContainerRuntimeConfig
initial: |
apiVersion: machineconfiguration.openshift.io/v1
kind: ContainerRuntimeConfig
spec:
containerRuntimeConfig:
defaultRuntime: crun
expected: |
apiVersion: machineconfiguration.openshift.io/v1
kind: ContainerRuntimeConfig
spec:
containerRuntimeConfig:
defaultRuntime: crun
- name: Should be able to set runc in ContainerRuntimeConfig with other params
initial: |
apiVersion: machineconfiguration.openshift.io/v1
kind: ContainerRuntimeConfig
spec:
containerRuntimeConfig:
defaultRuntime: runc
logLevel: info
expected: |
apiVersion: machineconfiguration.openshift.io/v1
kind: ContainerRuntimeConfig
spec:
containerRuntimeConfig:
defaultRuntime: runc
logLevel: info
onUpdate:
- name: Case 1 - Change another field - Should be able to update other parameters with invalid defaultRuntime
initialCRDPatches:
- op: remove
path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/containerRuntimeConfig/properties/defaultRuntime/enum
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why remove the enum on thius one, "" is a valid choice no?

initial: |
apiVersion: machineconfiguration.openshift.io/v1
kind: ContainerRuntimeConfig
spec:
containerRuntimeConfig:
defaultRuntime: docker
logLevel: fatal
updated: |
apiVersion: machineconfiguration.openshift.io/v1
kind: ContainerRuntimeConfig
spec:
containerRuntimeConfig:
defaultRuntime: docker
logLevel: info
expected: |
apiVersion: machineconfiguration.openshift.io/v1
kind: ContainerRuntimeConfig
spec:
containerRuntimeConfig:
defaultRuntime: docker
logLevel: info
- name: Case 2 - Remove the field - Should be able to update from invalid to removed
initialCRDPatches:
- op: remove
path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/containerRuntimeConfig/properties/defaultRuntime/enum
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why remove the enum on this one? runc is a valid choice no?

initial: |
apiVersion: machineconfiguration.openshift.io/v1
kind: ContainerRuntimeConfig
spec:
containerRuntimeConfig:
defaultRuntime: docker
updated: |
apiVersion: machineconfiguration.openshift.io/v1
kind: ContainerRuntimeConfig
spec:
containerRuntimeConfig: {}
expected: |
apiVersion: machineconfiguration.openshift.io/v1
kind: ContainerRuntimeConfig
spec:
containerRuntimeConfig: {}
- name: Case 3 - Update the field - Should be able to update from invalid to correct value
initialCRDPatches:
- op: remove
path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/containerRuntimeConfig/properties/defaultRuntime/enum
initial: |
apiVersion: machineconfiguration.openshift.io/v1
kind: ContainerRuntimeConfig
spec:
containerRuntimeConfig:
defaultRuntime: docker
updated: |
apiVersion: machineconfiguration.openshift.io/v1
kind: ContainerRuntimeConfig
spec:
containerRuntimeConfig:
defaultRuntime: runc
expected: |
apiVersion: machineconfiguration.openshift.io/v1
kind: ContainerRuntimeConfig
spec:
containerRuntimeConfig:
defaultRuntime: runc
11 changes: 9 additions & 2 deletions machineconfiguration/v1/types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -844,18 +844,25 @@ type ContainerRuntimeConfiguration struct {
// +optional
OverlaySize *resource.Quantity `json:"overlaySize,omitempty"`

// defaultRuntime is the name of the OCI runtime to be used as the default.
// defaultRuntime is the name of the OCI runtime to be used as the default for containers.
// Allowed values are `runc` and `crun`.
// When set to `runc`, OpenShift will use runc to execute the container
// When set to `crun`, OpenShift will use crun to execute the container
// When omitted, this means no opinion and the platform is left to choose a reasonable default,
// which is subject to change over time. Currently, the default is `crun`.
// +kubebuilder:validation:Enum=crun;runc
// +optional
DefaultRuntime ContainerRuntimeDefaultRuntime `json:"defaultRuntime,omitempty"`
}

type ContainerRuntimeDefaultRuntime string

// These constants are used in the Machine Config Operator (MCO)
const (
ContainerRuntimeDefaultRuntimeEmpty = ""
ContainerRuntimeDefaultRuntimeRunc = "runc"
ContainerRuntimeDefaultRuntimeCrun = "crun"
ContainerRuntimeDefaultRuntimeDefault = ContainerRuntimeDefaultRuntimeRunc
ContainerRuntimeDefaultRuntimeDefault = ContainerRuntimeDefaultRuntimeCrun
)

// ContainerRuntimeConfigStatus defines the observed state of a ContainerRuntimeConfig
Expand Down
12 changes: 10 additions & 2 deletions .../v1/zz_generated.crd-manifests/0000_80_machine-config_01_containerruntimeconfigs.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,8 +53,16 @@ spec:
runtime.
properties:
defaultRuntime:
description: defaultRuntime is the name of the OCI runtime to
be used as the default.
description: |-
defaultRuntime is the name of the OCI runtime to be used as the default for containers.
Allowed values are `runc` and `crun`.
When set to `runc`, OpenShift will use runc to execute the container
When set to `crun`, OpenShift will use crun to execute the container
When omitted, this means no opinion and the platform is left to choose a reasonable default,
which is subject to change over time. Currently, the default is `crun`.
enum:
- crun
- runc
type: string
logLevel:
description: |-
Expand Down
12 changes: 10 additions & 2 deletions ...-crd-manifests/containerruntimeconfigs.machineconfiguration.openshift.io/AAA_ungated.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,8 +54,16 @@ spec:
runtime.
properties:
defaultRuntime:
description: defaultRuntime is the name of the OCI runtime to
be used as the default.
description: |-
defaultRuntime is the name of the OCI runtime to be used as the default for containers.
Allowed values are `runc` and `crun`.
When set to `runc`, OpenShift will use runc to execute the container
When set to `crun`, OpenShift will use crun to execute the container
When omitted, this means no opinion and the platform is left to choose a reasonable default,
which is subject to change over time. Currently, the default is `crun`.
enum:
- crun
- runc
type: string
logLevel:
description: |-
Expand Down
2 changes: 1 addition & 1 deletion machineconfiguration/v1/zz_generated.swagger_doc_generated.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

12 changes: 10 additions & 2 deletions payload-manifests/crds/0000_80_machine-config_01_containerruntimeconfigs.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,8 +53,16 @@ spec:
runtime.
properties:
defaultRuntime:
description: defaultRuntime is the name of the OCI runtime to
be used as the default.
description: |-
defaultRuntime is the name of the OCI runtime to be used as the default for containers.
Allowed values are `runc` and `crun`.
When set to `runc`, OpenShift will use runc to execute the container
When set to `crun`, OpenShift will use crun to execute the container
When omitted, this means no opinion and the platform is left to choose a reasonable default,
which is subject to change over time. Currently, the default is `crun`.
enum:
- crun
- runc
type: string
logLevel:
description: |-
Expand Down