Support to specify ``trusted`` for runtime creation. In Kubernetes
orchestrator implementation, it's using
``io.kubernetes.cri-o.TrustedSandbox`` annotation in the pod specification
to choose the underlying container runtime. This feature is useful to
leverage the security container technology such as Kata containers or
gVisor. It also gets rid of the security concerns for running image type
function.
Story: 2003088
Task: 23172
Change-Id: Ic4fa3e97dcc239c7177448e3cef5d0f02340d302
Add an administrative operation for getting the pool information for the
runtime, so that the admin user can check the capacity of the runtime and
scale up or scale down the pool accordingly.
Change-Id: Iec4536396c1c31a9e545b09c5f46b46dc6d79ae6
Story: 2002969
Task: 22975
Using 'cgroup' in runtime server to limit cpu and memory resources.
Each pod in deployment will has respective 'cgroup' directory on host.
Under '/sys/fs/cgroup/xx/kubepods/<qos_class>/pod<uid>' directory, use
HOSTNAME to create a new cgroup folder, which will only be used to
limit function execution. Then we do not need to care about how and
when to delete this new folder on host.
Use 'openstackqinling/python-runtime:0.0.3' as the new python runtime
image.
Story: 2001586
Task: 14415
Change-Id: Id04a72c4f4a3c559dc7c746688b13ef93656d125
This makes sure that users are told executions failed due to something
is wrong in Qinling engine.
Change-Id: I19abb2ad4abe955bf18550bce04499d2c4f9bbb5
Story: 2002043
Task: 19687
Limit image type function resources by using customized cpu/mem saved
in function database. And this patch is based on patch [0].
[0]: Change-Id: I7a245f93a445a00c2722238d3f94d3a960f16af4
Story: 2001586
Task: 14415
Change-Id: I1e86d5061e68eb584283b0d2f5482d4931d7e4f2
Now, all the underlying resources(pod, service) in k8s cluster have
version number in their labels. Different versions of the same function
will have different services exposed in k8s cluster.
Change-Id: Ic0b3045404105175073844b908fa0f6c2ef2ab8a
Story: #2001829
Task: #14350
When scaling down a function, the information of the workers in etcd is
not taken good care of. This commit fixes the issue.
Change-Id: I18a1d3565b52b521fda6a1fb5b5e63a6d30e6654
- avoid labels being None and passed to selector generation method
- correct the name of create_namespaced_deployment_rollback
- update _choose_available_pods, taking the 'count' parameter into
account
- fix potential errors in _create_pod as input may be a string rather
than a dict
Change-Id: Iadc05caec871e37c7eeb9cfd9d358aec0b280315
- Allow user create webhook based on the function.
- Webhook can be invoked without authentication.
- Can not delete function associated with webhook.
Another big change is, we are going to use minikube instead of
kubernetes-aio scripts from openstack-helm project.
Implements: blueprint qinling-function-webhook
Change-Id: I85e0b0f999f0d820bfacca9ac3b9af04e80df0d7
From 4.0.0, kubernetes-incubator/client-python uses multiprocessing
libaray to send request to k8s cluster, which is not supported by
eventlet. This patch introduced the following changes to fix the issue:
- Use cotyledon for engine service rather than oslo.service
- Update global requirments
- Provide separate scripts for api and engine service
References:
[1] https://github.com/eventlet/eventlet/issues/147
[2] https://bugs.launchpad.net/taskflow/+bug/1225275
Change-Id: Ib99565e00eedc72c388e8ebec6b7f1453f77f30f
- Make docker image function work, add functional tests
- Use 'result' instead of 'output' in execution response
- Support string as execution input
- Update python runtime
Partially implements: blueprint qinling-functional-tests
Change-Id: Ie7e59983cfbc6f9e8514438e30a854f372a4c4d7
- Qinling is using etcd for distributed locking, especially for invoking
functions simultaneously.
- Get rid of function service and function worker mapping table
- Use etcd to store function service url and workers
Change-Id: I0a6abc98534dc95af5b985b6b6b4c0883263a221
This is an admin only operation. which gives admin user a safe way to
clean up the underlying resources allocated for the function.
Change-Id: If98ab5235902516f98be7d485e744cf3ea4cd262
Increase pod based on the execution rate in qinling-engine so it's
qinling's responsibility to decide when and how to autoscale pod
allocation. This behavior is configurable, the admin user can also
scale up the pod via qinling API manually.
Change-Id: Ie0b01481405daf10f495fa9d6389a624a82f0385
Implements: blueprint qingling-autoscaling
- Improve/Simplify python runtime
- Use non-locking for communication with db when invoking function.
- Add config option to run job handler.
- Pre-fetch runtime when query function in db.
Change-Id: I9e791aecf03d5bf64a39548e6c9bad1b678882af
As log says, 'oslo_messaging.transport.get_transport()' is deprecated.
The reference link of oslo_messaging is at [1].
[1] https://review.openstack.org/#/c/454194/
Change-Id: Ib4e8cc7b30a7541221d9ae2d244577b2dae5518d
When user creates function, qinling will create trust for the function
that can be used when function is invoked. This feature is especially
useful when the function is invoked by a trustee user.
Remove the trust for job accordingly because the job will always use
trust for the function.
Change-Id: I68c608a1f25f1008e13bff33325e7cd9914653ae
This is admin only operation. The load monitoring of function execution
depends on the monitoring solution of underlying orchestrator.
Implements: blueprint qingling-autoscaling
Change-Id: I2eff62a45a718d230b51f18c5a49e0abea5f3164
After function autoscaling support, it's impossible for qinling-engine
to get execution log because it doesn't know which pod it is talking
to.
So, it's neccessary for the runtime to return execution logs to
qinling engine.
The qinling client is not affected.
Change-Id: I96dfd00cc83d8b8a5e8c601ee3800b1ef1a45b1b
Provide an API to do scale up operation, leave the container
monitoring to orchestrator underlay, although k8s already supports
HPA, but we should not rely on specific container orchestrator
capability for general purpose.
Partially implements: blueprint qingling-autoscaling
Change-Id: Iff1ff646a6df263b2770b8cebc74e80ab18c7613
After execution is finished, Qinling provides API to query execution
log for audit, debug or other purposes.
Implements: blueprint qinling-logs
Change-Id: Ie92619bf238c8e72e15c350c65bfbbb88a065f97
If the function is triggered by job, it's very hard to get openstack
serssion based on trust id, unless the qinling service credentials are
passed which will lead to security issue.
So, this patch will remove 'context' param for user function.
Change-Id: Ib0e185ad9729cf59e308b7ded683911a92624ad0
OpenStack service session is generated when downloading code from
inside the container, but when the function is invoked at a deferred
time, the token may already be expiried.
Need to create the session when executing the function instead of
when downloading.
Change-Id: I8170bfb1c5f8b6cf88a744547db12cc12248aaca
If update image, will send asynchronous request to engine. If some
error happened during update, engine will rollback runtime
automatically.
Change-Id: I1598b1c04427dfdb7d573bbff8dc017f113c2fd2
Currenty, the function entry is hard-coded to be 'main.main' which is
not flexible. This patch adds support for specifying module name and
function name in the code package.
Change-Id: I92ea36f668073f380a4aef4526a6fad321d8cc95
When a package function is executed, a service url is cached so it's
faster when function is executed again. But this will lead to problem
if function is never executed for a long time.
This patch add an expiry machanism which will release resources in
orchestration platform.
Change-Id: I754ebe314d87f6d7c194d9b9c061316f7ba74245
Allow user to create function using her own docker image including
all the code and dependencies inside. The image needs to have an
script running as entry point, expecting user's input as params.
This allow users to execute functions written in any language.
Lingxian Kong
Hunt Xu
Jiangyuan
Guoqiang Ding