Running containers inside of a container environment (with docker-compose.yml) using podman? #746
Comments
|
I'd love to get something similar to |
|
slightly related: we need to ensure that we correctly pass |
|
@giuseppe I worked on that a while ago. But not sure if I got it all working. Would also like to get socket activation working properly. Both would be cool features that don't work in Docker. |
|
@edsantiago @TomSweeneyRedHat Could you guys attempt to setup a test to make sure NOTIFY_SOCKET and SD_NOTIFY works with podman? |
|
@rhatdan in progress ... but infuriatingly nonworking. And according to my notes, reminiscent of my frustrations in October 2016. It Just Ain't Working. The simplest reproducer I can come up with is: This just hangs. No error, also no output. It also hangs in such a way that The Same results when running from a systemd init file (without the Am close to giving up for today. This has taken a good chunk of time. |
|
@edsantiago Separate locking issue from #658 - this is us holding the container lock until runc has finished executing, to try and order container operations. The root cause here appears to be the |
|
This seems to be close, although I am getting Connection Refused. The passing of the socket is there and the mounting of the socket is there. I don't know why ncat is refusing the connection. |
|
I think systemd uses a DGRAM socket, so you need It does not hang without |
|
Date is not doing anything with the socket, so this looks like the integration between podman/runc and the socket file is causing issues. I will see if I can repeat the failure on my machine. |
|
Yes - my use of |
|
Seems to be working for me now With podman in master. |
|
Never mind It is hanging. |
|
This is where runc is hanging. |
|
I'm somewhat leaning toward it being a runc issue, not podman, but have no actual evidence to base that on. |
|
I agree, I am now thinking this is an issue with runc. I need to setup runc with the NOTIFY_SOCKET to see if it hangs also. |
|
It looks like the --udp is the key flag that is causing the issue. If I remove the --udp runc finishes right a way. |
|
Yes, but as best I can tell |
|
|
So it this the equivalent of doing what Systemd does for socket activation. |
|
That's what I think, and it's what I'm trying to do, and the behavior is consistent... but I don't really know. |
|
I sent an email off to systemd-maint/lennart asking them what is the best way to implement this. |
|
lsof /run/systemd/notify /run/mysock But it looks like you are correct. I would figure runc will hang if done with socket activation. @giuseppe Did you ever run systemd containers using sd_nodify? |
|
I think this happens because of the interaction of conmon and runc. We have system containers using NOTIFY_SOCKET, but system containers don't pass in additional file descriptors and this makes the difference. In any case, the issue is for sure in runc: |
|
I will be gone for 2 weeks and unable to play here during that time. Once the runc hang gets resolved, Shishir has a great, tiny, simple way to test sdnotify in a container: https://github.com/shishir-a412ed/runc-notify |
|
Actually I think this is pure runc. Hangs Not conmon involved. |
|
this is probably a regression, I remember NOTIFY_SOCKET working well with runc, I'll take a look |
|
I've opened a PR for runc: opencontainers/runc#1807 |
with opencontainers/runc#1807 we moved the systemd notify initialization from "create" to "start", so that the OCI runtime doesn't hang while waiting on reading from the notify socket. This means we also need to set the correct NOTIFY_SOCKET when start'ing the container. Closes: containers#746 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
Wait, what? Why did this get closed? I don't see anything relating to having functionality like this implemented in podman git master... |
|
At some point we started discussing issues related to sdnotify. Those are fixed. The core of the issue, is not. @baude is working on some things that do touch the scope of the original issue, but I don't think they're exactly what you're looking for |
|
@mheon If it's something like OpenShift ImageStream+BuildConfig+DeployConfig yaml with podman, that works too. |
|
The opposite, actually - Kube (and maybe Openshift) YAML from Podman containers |
|
@Conan-Kudo Not really sure what that means. We want to experiment with using podman commands that people are used to to generate the environment. Our goal is not to force a user to edit a configuration/yaml/json... file to build an application containing multiple pods/containers working together, using podman. Then use podman to extract out of the libpod configuration, kubernetes yaml files to be able to easily launch the same environment into OpenShift/Kubernetes. Simplest would be to launch a container with podman and then extract out a yaml file to describe how to run the same container in kubernetes. |
|
@rhatdan The idea would be that you'd be able to make a minimal YAML/JSON definition in the OpenShift style to spin up groups of containers with Podman that also happened to just easily import right into OpenShift, so the mechanical process of starting an application as a container would work the same way for single node (Podman) and multi-node (OpenShift). |
|
I would really like to get that case covered - I think our current Kubernetes/Openshift JSON generation misses the original point of Compose (single-node orchestration) |
|
Well one case @baude is looking at is Replay which would take the generated kubernetes yaml and recreate the containers/pods with podman. I was actually asked about that last night after mentioning it in a talk I was giving to the NYLUG. My fear though is going to be trying to support all Kubernetes Yaml config, which could become a huge time sync. |
|
I wouldnt worry about supporting all the kube yaml config. Most of it will be too tough to process and make assumptions in podman about. Again, if we take this approach of only kube, we will have what i would refer to as a "lite" approach to this. |
|
Perhaps slightly unrelated, but as Podman provides a basic "Docker-compatible CLI" via the |
|
I'm pretty sure docker-compose interfaces with docker via the socket, not
the cli... so a #nobigfatdaemons design breaks this stuff.
…On Tue, Feb 5, 2019, 10:08 PM Gert-dev ***@***.*** wrote:
Perhaps slightly unrelated, but as Podman provides a basic
"Docker-compatible CLI" via the docker script (which seems to just be a
script to place in /usr/bin/docker that in turn executes /usr/bin/podman),
how well does Docker Compose work with this script? Does it not work at all
due to reliance on specifics of Docker itself? Does it work, but require
minor adjustments?
|
|
We don't support Docker-compose, so I am not sure how much of it is talking to the docker socket versus executing the command. POdman is a replacement for the Docker CLI, not the Docker engine API. |
|
Also tried to find alternative of docker-compose for podman, because creating/updating pods using bash ends with heavy logic and ansible roles - executes much slower. Using 'podman play' is very promissing feature, but I think this might lead to podman will have to adopt to k8s api changes all the time. Docker-compose is a separate tool, so maybe separate podman-compose/podman-kube/podman-<your_name_here> wrapper over podman will do better job. |
|
It's probably need to add a notice in README that docker-compose functionality is out of the scope of podman. People sometime thinks that docker-compose is a part of docker cli and want to find it in podman. |
Also mention that Podman does/will not support `docker-compose`. Fixes: containers#746 (comment) Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Thanks for the suggestion, @SergeyBear. I've opened #2428 to address it. |
|
IMHO, adding k8s generator to podman may lead to problems like k8s had with runtime and storage drivers, when developers had to add and support a lots of techs, that eventually ended with creating CRI and CSI. Some will need k8s support, others - swarm and so on... |
|
@SergeyBear Sure. the goal was to make it easy to transition from a traditional container environment to a Kubernetes environment. But once we did that we needed a way to allow users to transition back, which is why we added play. But we did not want to lock our selfs to just Kubernetes, so I definitely could see us supporting other formats. Which is why we have podman generate kube, if some other format took off we might support that also. |
|
I just found great post about podman play and generate that describes in detail usecases. |
|
I found this project called |
|
We are actually working to move this under the github.com/containers umbrella. |
github-actions
bot
added
the
locked - please file new issue/PR
/kind feature
Description
I'd like to be able to run and test batches of containers defined with
docker-compose.yml. As it is now, doing this with actual Docker inside an environment that runs through Docker gets rather risky and leaky in all kinds of bad ways.For building containers, I'm starting to use
buildahfor this, but I don't quite yet have an answer for running them. The goal is to be able to build and test in a manner that is consistent with how people can do it on their local machines, and easily transition to OpenShift for production run environments.Additional environment details (AWS, VirtualBox, physical, etc.):
GitLab CI runners with Docker container (of Fedora with buildah + podman)
The text was updated successfully, but these errors were encountered: