Skip to content
This repository has been archived by the owner on Aug 14, 2020. It is now read-only.

goaci flannel does not work #15

Open
alban opened this issue Feb 27, 2015 · 8 comments
Open

goaci flannel does not work #15

alban opened this issue Feb 27, 2015 · 8 comments

Comments

@alban
Copy link
Member

alban commented Feb 27, 2015 

$ bin/goaci github.com/coreos/flannel
GOPATH env var is ignored, use --go-path="$GOPATH" option instead
/tmp/goaci335005087/src/github.com/coreos/flannel/main.go:21:2: C source files not allowed when not using cgo: proxy.c
error running go: exit status 1

To compile it statically, I used:
endocode/flannel@fa44d5c
endocode/flannel@0bca2d2
(initially tracked in rkt/rkt#389)

The .aci produced was enough to start flannel in a container and create the flannel0 network interface.

However, "flannel --ip-masq" also execs iptables with exec.Command("iptables" ...
So it needs the iptables binary in the .aci to make use of the --ip-masq option (it is used in CoreOS).

Can goaci build ACIs with dependencies? Maybe the flannel aci could depend on an iptables aci?

/cc @eyakubovich
@bcwaldon
Copy link

I actually just rocketized something that depended on execing Iptables. I had to do a few things to get it to work:

  • add the CAP_NET_ADMIN capability
  • bind mount in /usr and /lib64
  • manually set the PATH env var (rkt does not appear to set it)

@eyakubovich
Copy link

@bcwaldon if you bind mount the things you depend on, of course it'll work. But it destroys the very definition of what a container is: you bring your dependencies with you.

@bcwaldon
Copy link

@eyakubovich It sounds like you want a VM, then :trollface: Yes, it does blur the lines, but you already have to depend on certain things from the host (e.g. the kernel). When we're talking about something like flannel, whose primary goal is to modify the host it's running on, the definition of "container" isn't as clear.

@eyakubovich
Copy link

@bcwaldon The level of isolation/namespacing you want in something like flannel is much less -- clearly you don't want private networking. But bring your dependencies (shared objects, utilities) with you should always apply. Otherwise, which part of "container" is it using? Might as well distribute the raw binary.

@bcwaldon
Copy link

@eyakubovich wrapping flannel in a container is still valuable for two primary reasons:

  1. the metadata that describes what the container is
  2. the ability to distribute flannel using the same mechanism as your other containers

@eyakubovich
Copy link

@bcwaldon I'm not arguing that containerizing flannel is not valuable. I'm just saying that the container needs to live up to its promise and include its dependencies. If we can't do that for the moment, fine. But in general, if we don't have a way to package up an app because it has dependencies, it's a big problem. Luckily we have docker2aci now so I would support converting our Docker container into an ACI.

@jonboulle jonboulle mentioned this issue Mar 13, 2015
Closed
@jonboulle
Copy link
Contributor

Is there any point in exploring using the new assets inclusion mechanism that landed in #13 to achieve this?

@eyakubovich
Copy link

I think we can try. I'm not sure how to specify flannel's and iptable's dependencies (shared objects). We can just hard code it or run ldd and parse its output.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@alban @bcwaldon @jonboulle @eyakubovich