--Folks,The recent runc container breakout vulnerability (CVE-2019-5736 [1]) sparked a discussion in WG-LTS[1] which led to exploring the option of separating out docker CRI into a separate binary.Please see issue [1] about a long standing TODO and a prototype for a new cri-dockerd binary [2].The pros are- cri-dockerd can be maintained independently- over time we can remove vendored docker dependendencies in kubelet- docker is not special and just a CRI just like every other CRI in our ecosystemThe cons are- migration pain with a new binary in addition to kubelet- updating all the eco-system tools to support the new binaryWDYT? what other pros and cons do you see?Thanks,Dims[4] https://github.com/kubernetes/kubernetes/pull/74051--Davanum Srinivas :: https://twitter.com/dims
You received this message because you are subscribed to the Google Groups "kubernetes-sig-architecture" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-arch...@googlegroups.com.
To post to this group, send email to kubernetes-si...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-architecture/CANw6fcFKtY5u5gJfXW3vJ11Vr9vuUSZwbZWY7US9KSiskG19sA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Folks,
For several versions now, Docker ships with containerd. In theory we can use containerd’s CRI plugin to connect to it directly (instead of going through docker shim, dockerd and then reach containerd).
My proposition is to connect to containerd on newer Docker versions and keep the shim as long as we support old Docker versions.
I don’t have a strong opinion on how the shim is going to be nursed until it’s removed (could be a separate binary or remain in kubelet).
Pros:
Cons:
Have a wonderful day!
--
Rostislav (Ross) M. Georgiev
VMware Open Source Technology Center
--
You received this message because you are subscribed to the Google Groups "kubernetes-sig-cluster-lifecycle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
kubernetes-sig-cluster...@googlegroups.com.
To post to this group, send email to
kubernetes-sig-c...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/kubernetes-sig-cluster-lifecycle/CANw6fcEYZewq%3DSdRwAmx7tyhaAncnbrNiEKu1-j%2BsEyyRWs9oQ%40mail.gmail.com.
You received this message because you are subscribed to the Google Groups "kubernetes-sig-node" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-...@googlegroups.com.
To post to this group, send email to kubernete...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-node/MN2PR05MB6094F5A69E63103FBFD7B47AB37E0%40MN2PR05MB6094.namprd05.prod.outlook.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-node/CAMK2eKJhqJhg%2BspV7yQj0uMDEKUkaTvUfCQnG-Z9xRnz-ibr3Q%40mail.gmail.com.