-
Notifications
You must be signed in to change notification settings - Fork 884
rkt: add command to export a pod to an aci #2889
Conversation
There's a problem on no-overlay fly pods. Since we mount This is a problem because trying to write files from those dirs in a tar file cause general badness and errors. For example, There're several things we can do:
I think the third option sounds reasonable for now. Opinions? |
As a future user of the feature, the second option sounds the least surprising. I can't think of any situation where traversing a mount point would be expected. Presumably this is happening after volumes have been unmounted? |
The volumes are still mounted on the "fly" case after the container exits, but I think not exporting the volumes is reasonable. |
👍 for avoiding traversing mountpoints. Will this also let us preserve files "masked" by mounts? I assume it will if all the mounts are unmounted first. e.g. if the original aci has a file |
I think capturing files masked by mounts is the definitely the correct behaviour. Real example: mounting In a More abstractly, if you're using |
I'd like to emphasize that the problems mentioned in #2889 (comment) only apply to "fly" pods. On regular pods we already get the behavior mentioned in #2889 (comment): when the container is exited, all the mounts are unmounted. I'm not sure if making export work with "fly" pods is worth the complexity of implementing it. Since "fly" is just meant to execute single apps with no isolation taking advantage of rkt's image distribution mechanisms, I don't think exporting "fly" pods is a very useful use case. |
I don't think that pods that are both no-overlay and fly should be a priority for To detect that rkt is in this special case in order to print an error message ("export unsupported for this kind of pod"), we could either:
Checking mountpoints is better because we don't need to commit to any new API between stage0 and stage1 (see Stage1 ACI implementor's guide). |
I agree with @alban |
Thanks for the reminder @iaguis. I missed the distinction that the issue you were referring to only applied to no-overlay fly stage 1 at the beginning, and I think I got a bit distracted by the "exportable" annotation suggestion. My main concern was that there shouldn't be varying behaviour around what gets exported, and that export should generally be expected to work. Quite happy with testing for conditions which prevent a consistent export and failing on them though. (ie. Failing because things are still mounted, not because it's fly + no-overlay.) I agree with @alban that getting something merged is much more important at this stage than having it work with no-overlay in all stage 1 implementations. |
6736dfe
to
a27c9fa
Compare
Updated. PTAL. |
I think "unsupported, app has mountpoints" is a bit terse. How about:
As a user, I'd have some idea what to fix then. Am I correct in assuming that the exited pod can still be cleanly exported if somebody manually removes the mount points? Otherwise, I like it and I'm keen to see it merged. 👍 |
a27c9fa
to
2da24a7
Compare
Changed the message to:
|
PTAL? |
// MountCfg contains the needed data to construct the overlay mount syscall. | ||
// The Lower and Upper fields are paths to the filesystems to be merged. The | ||
// Work field should be an empty directory. Dest is where the mount will be | ||
// located. Lbl is an syslinux label. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
syslinux label or SELinux label?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SELinux
This adds a new `export` command to rkt which generates an aci from a pod; saving any changes made to the pod. Usage is `rkt export POD_UUID my.aci` This is currently restricted to only working with exited pods with a single app and that have been run with the --no-overlay option. Fixes rkt#1197
testContent = "ThisIsATest" | ||
) | ||
const ( | ||
testAci = "test.aci" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why making this global? It seems to be used only 1 time.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yup
Also tries to simplify things in areas; remove some const variable checks, etc.
It wasn't working if the overlay fs was unmounted (e.g. because of a reboot). Also: * Randomize the temporary directory where we mount the overlay fs so an inconsistent state doesn't affect future exports. * Change path.Join to filepath.Join. * Simplify overlay.Mount, we don't need to return the mounted path. * Fix typos and wrap overlay documentation.
return 1 | ||
} | ||
if hasMPs { | ||
stderr.Printf("pod has mountpoints. Only pods using overlayfs or with no mountpoints can be exported") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about "pod has remaining mountpoints"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure
Some minor questions. LGTM after that. |
If we're using "fly" the mounts we do (`/dev`, `/proc`, `/sys` and `/tmp` and other user-defined mounts) are in the host's mount namespace. Trying to export this kind of pods causes problems (e.g. some files in `/proc` cannot be directly read). Also, the user doesn't expect the contents of mountpoints to be exported. This is not problematic if we use overlay, because in that case we derive the exported fs from the ACI image plus the upper layer. To avoid problems, if the pod doesn't use overlay, we refuse exporting if the app has mountpoints inside.
So we can test with fly.
2da24a7
to
461fce0
Compare
Updated. |
LGTM if green |
The failure on fedora-23 seems unrelated:
It seems to fail sometimes: see #2432 |
Adds a new
export
command to rkt which generates an aci from apod; saving any changes made to the pod.
Usage is
rkt export POD_UUID my.aci
This is currently restricted to only working with exited pods with a
single app.
Fixes #1197