templates: remove /usr/share/containers/oci/hooks.d from crio config

[vrutkovs]

- What I did
Removed /usr/share/containers/oci/hooks.d from CRI-O config. This folder is not available on RHEL7 hosts when CRI-O is being installed.

This dir is provided by oci-systemd-hook (if I understood correctly), however it is planned to be dropped during 4.3 lifecycle. This PR would ensure CRI-O is configured correctly in preparation to that

- How to verify it

Run RHEL7 scaleup - it should pass

- Description for the changelog
/usr/share/containers/oci/hooks.d is no longer being used as a source of CRI-O hooks.

/cc @mtnbikenc

[cgwalters]

It sounds like people were using this hook directory on traditional RHEL systems (since it's writable there), and given /etc/oci/hooks.d is new I'm worried we'll put people in a situation where they need to detect the OS and use the correct dir.

Maybe the simplest thing is to merge this PR, and then also do ln -sr /{etc,usr/share}/containers/oci/hooks.d in the crio RPM?

[vrutkovs]

Maybe the simplest thing is to merge this PR, and then also do ln -sr /{etc,usr/share}/containers/oci/hooks.d in the crio RPM?

That sounds sane to me, not sure if anyone has been installing custom cri-o hooks (especially in /usr/share). @lsm5 wdyt?

[vrutkovs]

Networking issue

/retest

[kikisdeliveryservice]

this PR is making a change to something that was recently added in https://github.com/openshift/machine-config-operator/pull/1299/files

@haircommander PTAL

/hold

[haircommander]

I am fine with it if it works with @zvonkok

[haircommander]

Since we already have /etc/containers/oci/hooks.d as a default in cri-o (as of cri-o/cri-o@16beb92), I'd just comment out all of hooks_dir so we can allow cri-o to set the default as it sees fit

[vrutkovs]

I don't think its a good idea. I'd rather have MCD be the single source of CRI-O configs rather then relying on CRI-O defaults. Other components might use this config to set their own hooks. Also CRI-O might be tested with oci-systemd-hook installed (which is not the case for FCOS and currently happening on RHCOS), so the test results from CRI-O suite might be inconvincing

[haircommander]

per conversations with @cgwalters we decided to keep the templated configs as slim as possible. If other components use this value, they can import the value from cri-o/cri-o/config, which we keep public for that very use case. Removing /usr/share/containers/oci/hooks.d will remove the oci-systemd-hook anyway (as it's only shipped there, and also being removed on rhcos), so after this PR the tests will be the same, regardless of whether this field is commented out or not.

my comment isn't necessarily blocking, but we've set the idiom in the other fields to use cri-o defaults when possible, and in this situation it is possible, so I'm still pushing to follow it

[vrutkovs]

Okay, in that case it should be done in a different PR (and moved to shared masters/workers templates)

[vrutkovs]

Flaky tests:

[Feature:OpenShiftControllerManager] TestDockercfgTokenDeletedController [Suite:openshift/conformance/parallel]

Failing tests:

[sig-network] Services should be rejected when no endpoints exist [Suite:openshift/conformance/parallel] [Suite:k8s] [Skipped:Network/OVNKubernetes]

/retest

[kikisdeliveryservice]

@haircommander @vrutkovs relevant bug below:
https://bugzilla.redhat.com/show_bug.cgi?id=1781019

[openshift-ci-robot]

@vrutkovs: This pull request references Bugzilla bug 1781019, which is invalid:

• expected the bug to target the "4.4.0" release, but it targets "4.3.0" instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

Bug 1781019: templates: remove /usr/share/containers/oci/hooks.d from crio config

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[vrutkovs]

/retest

[openshift-bot]

/bugzilla refresh

The requirements for Bugzilla bugs have changed, recalculating validity.

[openshift-ci-robot]

@openshift-bot: This pull request references Bugzilla bug 1781019, which is invalid:

• expected the bug to target the "4.4.0" release, but it targets "4.3.0" instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/bugzilla refresh

The requirements for Bugzilla bugs have changed, recalculating validity.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[haircommander]

/retest

[haircommander]

@vrutkovs would you mind changing the name to not reference the bug? I'll backport the fix to release-4.3 and link the bug there

@mrunalp PTAL

[openshift-ci-robot]

@vrutkovs: No Bugzilla bug is referenced in the title of this pull request.
To reference a bug, add 'Bug XXX:' to the title of this pull request and request another bug refresh with /bugzilla refresh.

Details

In response to this:

templates: remove /usr/share/containers/oci/hooks.d from crio config

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[vrutkovs]

Done

[mrunalp]

Can we drop this comment?

[mrunalp]

Can we drop this comment?

[vrutkovs]

Done. Updated commit message too

[mrunalp]

/lgtm

[cgwalters]

Also adding a
/hold
here since

This dir is provided by oci-systemd-hook (if I understood correctly), however it is planned to be dropped during 4.3 lifecycle.

Reference? It's listed explicitly in the RHCOS manifest I believe because we want to support people doing a "lift and shift" of VMs into containers (where systemd runs in the container) and the like.

Its existence also makes things messier here...I think we probably need both values in the configuration?

[haircommander]

/retest

https://gitlab.cee.redhat.com/coreos/redhat-coreos/merge_requests/764 actually dropped oci-systemd-hook from rhcos (as it's no longer needed in our container engines)

thus:
/hold cancel

[runcom]

/approve

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: LorbusChris, mrunalp, runcom, vrutkovs

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [runcom]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[haircommander]

/cherry-pick release-4.3

[openshift-cherrypick-robot]

@haircommander: new pull request created: #1329

Details

In response to this:

/cherry-pick release-4.3

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[carbonin]

I saw mention in here that oci-systemd-hooks is not needed anymore on cri-o nodes. (specifically from @haircommander in #1314 (comment)) What does that mean exactly? How does running a container with init work without privileged?

I opened https://bugzilla.redhat.com/show_bug.cgi?id=1807245 a while back and am trying to get some clarity on what's going on.