Add docker_storage_to_overlay2 role

[mbarnes]

This adds an adhoc playbook to change the Docker storage driver to overlay2.

Note, this makes no attempt to migrate existing containers/images. It momentarily stops docker.service and uses atomic storage reset to wipe all local Docker storage.

Tested on:

• RHEL 7.4 (works)
• CentOS 7.3 (always fails)
• Fedora 26 (works)

Some necessary changes for OverlayFS to support SELinux security labels landed in RHEL 7.4, so I had the playbook do a version check for RedHat/CentOS distributions. Presumably this will work on CentOS 7.4 once it's released.

[twiest]

We try really hard to not use shell. It's a very, very powerful module, which security wise is a bit scary.

More information from the openshift-ansible best practices guide:
https://github.com/openshift/openshift-ansible/blob/master/docs/best_practices_guide.adoc#The-Ansible-command-module-SHOULD-be-used-instead-of-the-Ansible-shell-module

Could we instead use command?

Something like:

  - name: Check if storage driver is already overlay2
    command: docker info
    register: storage_driver_check
    changed_when: False
    ignore_errors: yes

  - name: Transition storage driver to overlay2
    when: storage_driver_check.stdout | lower | search('storage driver:.*overlay2')
    block:
[... snip ...]

[mbarnes]

Ah ha, thanks for the link. I'll rework to avoid shell.

[twiest]

Same as above, consider switching to command instead of shell.

[twiest]

We use options like dm.basesize that I believe should work on both overlay and devicemapper.

Maybe allow us to pass these options in?

We need this option to be set (and possibly others).

[mbarnes]

dm.anything is devicemapper-specific, according to the docs.

The Docker daemon choked on it when I tried to pass it for overlay2:

$ systemctl status -l docker
...
... fatal_msg="Error starting daemon: error initializing graphdriver: overlay2: Unknown option dm.basesize\n"
... Failed to start Docker Application Container Engine.
...

The only documented option for overlay2 is overlay2.override_kernel_check, which we don't need.

[twiest]

Ah, interesting. So are we losing the ability to specify basesize?

If so, that's not good. What will keep a single container from eating up all of our docker storage volume?

[mbarnes]

@rhatdan: ^^ Can you answer this?

I'm iterating on your initial devicemapper-to-overlay2 playbook.

[mbarnes]

@twiest Did some Googling on your question and found this Moby PR.

The PR enables disk quota limits to be set per-container by way of a --storage-opt size option when using the overlay2 backend on an XFS filesystem:
e.g. docker run --storage-opt size=3g -it fedora /bin/bash

But the catch is the XFS filesystem must be mounted with project quota (pquota) support instead of the noquota default. And I don't see a way to inject that mount option by way of container-storage-setup.

Does this help at all, or is a limit-per-container a non-starter?

[twiest]

@mbarnes that is the functionality we want, but we'd need to ensure that whatever is starting the containers supports that. In this case, that'd mean openshift-node / CRI-O. As far as the pquota mount option, we'll need to have the container storage volume mounted via the fstab I assume, so we can work with that, I think.

@mrunalp Does CRI-O support setting --storage-opt size=3g on container start? We need a way to limit the amount of space a container can take on the container storage volume.

[mbarnes]

Submitted projectatomic/container-storage-setup#255 to see if we can get the pquota option into container-storage-setup.

The docker-storage-setup.service unit is what actually mounts the volume during boot, and I'd prefer to solve this in the tooling, but we might have to hack /etc/fstab as an interim solution.

[twiest]

Ah, ok, I didn't realize that.

I agree with you that it'd be better to fix in the tooling.

[mbarnes]

@twiest : I found what we need! Add overlay2.size daemon storage-opt

But this feature was only just added in June and isn't available where we need it to be. I emailed you and @rhatdan about it.

[twiest]

@mbarnes that's great, good find!

[mwoodson]

My guess is this needs to use the openshift-ansible inventory format.

[mbarnes]

Yeah, I had no idea how to write that part. Was copying off some other adhoc playbook.

Can you elaborate what openshift-ansible inventory format looks like?

[sdodson]

Yeah, this should either be hosts: nodes or we'd have to initialize the groups and then it'd be hosts: oo_nodes_to_config

[sdodson]

Sorry, let me clarify, if we leave it in adhoc hosts: nodes is the right thing to do. If we expect this to be supported for OCP use we should initialize the groups in playbooks/byo/openshift-node/docker_storage_to_overlay2.yml and move the logic to playbooks/common/openshift-node/docker_storage_to_overlay2.yml

[mbarnes]

Okay, thanks for clarification, I'll make it hosts: nodes for now.

[mbarnes]

⬆️ Fixup commit addresses @twiest's comments.

I managed to avoid the shell module, but isolating text in a multiline string in Ansible is pretty tricky, it turns out. If you know of an easier way than what I'm doing here, do tell!

Other miscellaneous tweaks here too.

I'm still not sure what to do with the hosts: value...

[mbarnes]

I took a closer look at the final state of the system after running this playbook, and found that container-storage-setup was not mounting the device previously used for devicemapper despite specifying DEVS and VG in /etc/sysconfig/docker-storage-setup.

The contents of /var/lib/docker/overlay2 appear to be on the root logical volume.

Reading the https://github.com/projectatomic/container-storage-setup code, it looks like the setup tool is looking for a couple additional parameters for overlay2:

• CONTAINER_ROOT_LV_NAME
• CONTAINER_ROOT_LV_MOUNT_PATH

I'm currently trying to figure out how to set these properly.

Update: Looks like the best way to set these is via atomic storage modify with the --lvname and --rootfs options.

[mbarnes]

2nd fixup commit adds --lvname and --rootfs options to the atomic storage modify command. Now, the volume group previously used for devicemapper has a logical volume named docker-root-lv mounted at /var/lib/docker.

$ lsblk
NAME                           MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
...
vdb                            252:16   0   16G  0 disk 
└─vdb1                         252:17   0   16G  0 part 
  └─docker_vg-docker--root--lv 253:2    0  6.4G  0 lvm  /var/lib/docker

Does that look like the configuration we want for overlay2?

[mbarnes]

FTR, matched the generated configuration to what a subject-matter-expert recommends.
So I believe I'm on the right track.

[mrunalp]

@nalind PTAL

[rhatdan]

@mrunalp I think you meant @rhvgoyal PTAL

[mbarnes]

⬆️ Squashed the fixup commits and rebased on master with a few enhancements:

• Document the overlay2 driver enhancements required for the overlay2.size option.

• If present, capture the dm.basesize value and apply it to overlay2.size.

[mbarnes]

@mwoodson, @twiest: Also PTAL

[mbarnes]

⬆️ Added a test for container-storage-setup >= 0.7.0 which mounts with pquota enabled.

[mbarnes]

/test tox

[mbarnes]

⬆️ Squashed fixups and rebased again...

[dak1n1]

Just checking -- this will also update the driver on the masters, right? Ops would like the storage driver configurations to be consistent across masters and nodes.

[mbarnes]

@dak1n1 Ah okay, wasn't clear to me what to use for hosts.

Should this then be:

hosts:
- masters
- nodes

?

[dak1n1]

We have a module we prefer to use for this, repoquery. For example:

- name: Get {{ item.key }} version
  repoquery:
    name: "{{ item.key }}"
    query_type: installed
    show_duplicates: True
  register: package_version

And I believe the data you want would be in package_version.results.versions.available_versions_full.

[dak1n1]

(This is more of a "nice to have" feature, btw. It doesn't have to hold up the stg testing.)

[dak1n1]

I just noticed this comment. How about if this playbook was a role instead, so Ops could call it after we migrate containers onto new nodes? Then we could control how many hosts have their storage wiped at once, and make sure users' apps remain running on other nodes. (Otherwise this would be too much of an outage to do in production). @mwoodson @jupierce thoughts?

[dak1n1]

@sdodson Do you guys have an existing framework we could plug destructive roles like this into? For example, it would drain 10% of nodes at a time, and then run whatever role you need. Like a yum update+reboot role, or this docker storage reset role.

(I have something that I use for that, but I'm supposed to check upstream before making custom playbooks).

[dak1n1]

@sdodson unping. Turns out we have approval to just use my playbook as a wrapper for this.

[sdodson]

@dak1n1 Your playbook just wraps the group evaluation or have you moved this into a role?

[dak1n1]

Another "nice to have"... Ops likes everything to be in module form if possible, rather than commands. The slurp module will do what you need for this task. https://docs.ansible.com/ansible/latest/slurp_module.html

[mbarnes]

@dak1n1 ⬆️ Addressed all the "nice to haves". Awaiting guidance on whether/how to convert this to a role, like you mentioned above.

[sdodson]

Wrap these two tasks in a block that only fires when a quota is specified so that they can migrate to overlayfs without quotas if they don't meet the version requirements?

- block:
  when:  disk_quota|length > 0

[mbarnes]

Good idea

[mbarnes]

⬆️ Implemented @sdodson's suggestion.

Working now on converting this all to a role so it can be wrappered for ops.

[mbarnes]

⬆️ Rebased again and converted the whole thing to a role.

@sdodson, @dak1n1: 1st time writing an Ansible role, so further review is much appreciated.

[kwoodson]

@ashcrow, @michaelgugino,

Please weigh in on this. This is the migration from device-mapper to overlay for docker.

[ashcrow]

It's looking good. Added a few notes.

[ashcrow]

Googling this gives some weird results!

[ashcrow]

@kwoodson as in:

role_storage_setup_path

or

docker_storage_to_overlay2_storage_setup_path

[ashcrow]

No change needed but openshift_facts does set openshift.docker.service_name which will expand to either docker.service or container-enginer.service.

[mbarnes]

👍 Nice, that's handy. Also see my question above about docker info.

[ashcrow]

openshift.docker.service_name might be used here if container-engine is also supported.

[mbarnes]

Yeah, about that. What would be the equivalent to docker info when using the container-engine system container?

In my playbook that uses this role, I run docker info at the beginning and extract the "Storage Driver" value. If it's already "overlay2" I skip the whole thing so the playbook is idempotent. I'd like to preserve that feature when using container-engine.

[ashcrow]

docker info should be the same. docker client is installed and will use container-engine service.

[ashcrow]

I really want to see this make it into the installer. This would make use of overlay, which is becoming common, much easier.

[ashcrow]

👍

[ashcrow]

Note that when origin is installed the service is called origin-node.service You can use {{ openshift.common.service_type }} to get the proper one.

[mbarnes]

General question: Does Ansible (or openshift-ansible) provide a module for rebooting a host and waiting for its SSH service to come back up? I copied someone's Stack Overflow solution for this, but I'm surprised it's not built-in. Seems basic for an automation system.

[sdodson]

@mbarnes here's the task we use for this else where, the waiting for the api you don't need.
https://github.com/openshift/openshift-ansible/blob/master/playbooks/common/openshift-master/restart_hosts.yml

[ashcrow]

@mbarnes Check out playbooks/common/openshift-master/restart_hosts.yml which is likely similar to what you found online.

[mbarnes]

@sdodson, @ashcrow: Thanks, that at least looks similar to what I'm doing. I need to reboot non-master nodes too, so I guess I'll stick with what I have for now.

[ashcrow]

@giuseppe PTAL as well.

[michaelgugino]

I think we should support overlay2, but I don't think we should support it in an ad-hoc manner. I think this should be a supported storage option in-line with how we support other storage options.

We should not do any hard-removing of existing storage. This should be an up-front decision, and if a node needs to go from one docker storage type to another, that node needs to be reconfigured from scratch.

Let's hold off on this, and pick back up when we start work on 3.8.

[michaelgugino]

I'm hoping to refactor all of the docker portions out of openshift_facts. That almost shipped this cycle, but slipped due to feature freeze.

[michaelgugino]

We're stripping out the docker portions of openshift_facts.

I agree, this doesn't need to be it's own role.

[mbarnes]

We should not do any hard-removing of existing storage. This should be an up-front decision, and if a node needs to go from one docker storage type to another, that node needs to be reconfigured from scratch.

Just to add context here, I'm writing this for the OpenShift Online operations team as a prerequisite for moving to CRI-O, and for the Online clusters I wrappered this role with a playbook that drains each node before doing the storage conversion.

I was planning on trying to adapt that playbook for inclusion here, unless you think it's the wrong approach.

[michaelgugino]

Yes, my intention is to remove everything openshift.docker and remove all openshift.x variables from the docker roles.

[michaelgugino]

My preference is to put things in defaults/main.yml unless there's a specific reason not to.

[michaelgugino]

I was planning on trying to adapt that playbook for inclusion here, unless you think it's the wrong approach.

I think it's best to leave that kind of playbook in contrib or a related repo. I don't think we should have playbooks that wipe away containers and storage as it just opens the door for users to misapply those playbooks. This would put a large burden of support on these plays to build tons of safeguards and any regressions could have catastrophic effects.

I would assume that these nodes need to be drained, configured, and re-added, so that seems like someone might as well rebuild the node or add new nodes and retire the old ones.

[ashcrow]

@mbarnes let @michaelgugino know when you are ready to have this re-reviewed.

[mbarnes]

@mbarnes let @michaelgugino know when you are ready to have this re-reviewed.

I think I fixed or commented on everything mentioned, so it's ready for re-review.

I still think it makes sense to merge the docker_storage_driver role into some Docker fact collecting role -- whether that's openshift_facts or a separate docker_facts or whatever else @michaelgugino had in mind -- since I found a 2nd use case for it (grow_docker_vg).

I wasn't privy to all the discussions about this last week. Is current thinking that just the role is being considered, or should I resume trying to add some node-draining wrapper playbook like what I'm currently using for Openshift Online?

[ashcrow]

@michaelgugino ⬆️

[sdodson]

https://trello.com/c/IGCV4VRH/561-add-devicemapper-to-overlayfs-migration-playbook card for CL team to track getting this into 3.9 in a supported manner.

[michaelgugino]

I added this topic as a discussion item for this week's architecture meeting.

[ashcrow]

Don't forget to explicitly invite @mbarnes to the meeting!

[ashcrow]

What's the status of this PR post meeting?

[sdodson]

What's the status of this PR post meeting?

reviewing my notes we said we'd put in a card to deliver this for 3.9 in a supported manner.

https://trello.com/c/IGCV4VRH/561-3-add-devicemapper-to-overlayfs-migration-playbook

[ashcrow]

@sdodson ok thanks!

[openshift-ci-robot]

@mbarnes: The following tests failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
ci/openshift-jenkins/logging	1cb7c07	link	/test logging
ci/prow/e2e-aws	1cb7c07	link	/test e2e-aws

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[kwoodson]

I'd recommend closing this as its been over a year.

[vrutkovs]

Master branch is closed! A major refactor is ongoing in devel-40. Changes for 3.x should be made directly to the latest release branch they're relevant to and backported from there.