remove need to download pause image #11956
Conversation
openshift-ci
bot
added
do-not-merge/work-in-progress
vrothberg
force-pushed
the
pause
branch
6 times, most recently
from
221e2f7
to
8dc7228
Compare
vrothberg
changed the title
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
vrothberg
force-pushed
the
pause
branch
3 times, most recently
from
b17ea1a
to
3fddc12
Compare
|
@containers/podman-maintainers PTAL |
| if (getpid() != 1) | ||
| /* Not an error because pause sees use outside of infra containers. */ | ||
| fprintf(stderr, "Warning: pause should be the first process\n"); |
There was a problem hiding this comment.
What is the point of this check? It fails when I run a pod with --pid=host.
It also fails when we want to use this for the podman pause process.
There was a problem hiding this comment.
That is the exact copy from K8s. Seems like we need tests for --pid=host.
We could do that as well. In that case, the pause binary needs a dedicated directory. Currently it's in |
|
Sounds good to me. |
Looks like --rootfs is not the way to go. |
|
I tried something like this for my rootless cni work, if I remember correctly you have to create an empty writeable directory (ideally on tmpfs) and then bind mount the pause binary into this. This should allow you to use this dir as rootfs. |
|
Try: ./bin/podman run --rootfs /usr/libexec/podman:O /pause |
|
You can even play around with podman run -ti --rootfs /:O sh |
There was a problem hiding this comment.
I really like the changes you made to how/when specgen is filled out, I had been trying to think of a succinct way to move everything around! Only point of discussion is, we could use this as an opportunity (breaking change incoming) to marshal into the infra spec when using the API, could remove a lot of repetitive code and streamline the logic.
I would absolutely love that. This PR attempts to tackle parts of the code scattering but if we'd allow for the infra spec being marshaled, we could get rid of quite some additional/redundant code. @mheon, WDYT? |
|
@vrothberg did my suggestion on an overlay mount on /usr/libexec/pause/pause work? |
Yes, thanks. The overlay feature doesn't seem to be documented for |
@vrothberg Oh it seems I only added it with run manual https://docs.podman.io/en/latest/markdown/podman-run.1.html . Please let me know if its needs to be documented at any other place as well. I'll do it 😃 |
Thanks, @flouthoc! I have the 3.4 man pages installed, so I didn't see it :^) |
I tried that already but I keep getting the same errors. |
|
Back to building an image. I also refrained from consolidating the infra-spec gen code any further since it's super fragile. |
vrothberg
force-pushed
the
pause
branch
7 times, most recently
from
c4a2e7b
to
cd1ec56
Compare
Make sure to create the mounts for containers with an overlay root FS in the runtime dir (e.g., /run/user/1000/...) to guarantee that we can actually overlay mount on the specific path which is not the case for the graph root. [NO NEW TESTS NEEDED] since it is not a user-facing change. Signed-off-by: Valentin Rothberg <[email protected]>
Mount a directory from /var/tmp to /tmp to make sure that /tmp is not on an overlay mount. This should make overlay mounts possible in the containerized tests which we're currently skipping. Signed-off-by: Valentin Rothberg <[email protected]>
Add the k8s pause binary to `pause/pause.c` and do the plumbing in the Makefile to install it in $libexec/podman/pause/pause. It is intended to replace the k8s pause image and hence the need for network connectivity when creating pods. [NO NEW TESTS NEEDED] since it will be tested in a following commit. Signed-off-by: Valentin Rothberg <[email protected]>
So far, the infra containers of pods required pulling down an image rendering pods not usable in disconnected environments. Instead, build an image locally which uses local pause binary. Fixes: containers#10354 Signed-off-by: Valentin Rothberg <[email protected]>
|
Hallelujah 🙏 It's green. Once @giuseppe's openSUSE/catatonit#17 is merged (and released) we can update the code, remove |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: giuseppe, vrothberg The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/lgtm |
Yes, that would be ideal. Also, I loved @giuseppe's idea to implement the notion of a |
|
Yes that is a neat idea. Might be useful for lots of static use cases. |
github-actions
bot
added
the
locked - please file new issue/PR
So far, the infra containers of pods required pulling down an image
rendering pods not usable in disconnected environments. Instead, create
infra containers with an overlay root FS on
/usr/libexec/pause.Signed-off-by: Valentin Rothberg [email protected]
Please refer to the individual commits for further details.