Move weave script into tools image with its deps #388
Conversation
squaremo
force-pushed
the
remote_weaving
branch
from
15d58c2 to
5ec6c45
Compare
|
In terms of Looking the diff between weave script in master and driver script here: 47d46
< BASE_TOOLS_IMAGE=zettio/weavetools
50d48
< TOOLS_IMAGE=$BASE_TOOLS_IMAGE:$IMAGE_VERSION
72,78d69
< run_tool() {
< TOOL_NET=$1
< TOOL_COMMAND=$2
< shift 2
< docker run --rm --privileged --net=$TOOL_NET $TOOLS_IMAGE /bin/$TOOL_COMMAND "$@"
< }
<
143,147c134
< # disable offloading - we do this even when $BRIDGE already exists
< # simply because it has the desirable side-effect of ensuring we
< # have the $TOOLS_IMAGE and thus do not incur downloading-induced
< # delays in more time-sensitive sections elsewhere.
< run_tool host ethtool -K $BRIDGE tx off >/dev/null
---
> ethtool -K $BRIDGE tx off >/dev/null
228c215
< if run_tool host ethtool -K $GUEST_IFNAME tx off >/dev/null &&
---
> if ethtool -K $GUEST_IFNAME tx off >/dev/null &&
247c234
< run_tool container:$CONTAINER ethtool -K eth0 tx off >/dev/null &&
---
> ip netns exec $NETNS ethtool -K eth0 tx off >/dev/null &&
327c314
< run_tool host curl -s -X $http_verb "$@" http://$ip:$port$url
---
> curl -s -X $http_verb "$@" http://$ip:$port$url
622c609
< run_tool host conntrack -D -p udp --dport $PORT >/dev/null 2>&1 || true
---
> conntrack -D -p udp --dport $PORT >/dev/null 2>&1 || true
637c624
< run_tool host conntrack -D -p udp --dport $PORT >/dev/null 2>&1 || true
---
> conntrack -D -p udp --dport $PORT >/dev/null 2>&1 || true
All I can see is 247c234
< run_tool container:$CONTAINER ethtool -K eth0 tx off >/dev/null &&
---
> ip netns exec $NETNS ethtool -K eth0 tx off >/dev/null && |
|
Another thing that breaks: env vars, specifically any env vars that the current weave script pays attention to. Which are:
|
The We could alter things so that the outer script knew about versioning, so that you could do e.g.,
Yes, it needs updating.
Yes.
I have to admit I don't see how that can work without some contortions (e.g., put those commands in the weave script and include it in the image too, then call it from the driver when necessary). |
These would need to be passed as |
The logic in If these must be special-cased anyway, it's then not such a big deal to include the weave script in the tools image and use it for these particular commands. |
The aim of moving this into an environment variable is to give people a way to supply it without putting it on the command line. To achieve the same thing with the remote-actuation weave script, the password option parsing should be moved from the driver script to the weave script, and the driver script should receive it in an environment variable which is passes on to the container. |
That's what I was thinking. Doesn't mean it's the best approach though ;) |
I favour the |
squaremo
force-pushed
the
remote_weaving
branch
from
6513c25 to
ed100ec
Compare
VERSION, WEAVE_DOCKER_ARGS, DOCKER_BRIDGE, and WEAVE_PASSWORD can all get passed directly along. In the case of WEAVE_PASSWORD, there's no need to do the arg parsing first as described above, since it will pass along any arguments as well as the environment variable if present.
An elaboration: when acting as a remote, PROCFS refers to the host filesystem that should be mapped as a volume to |
|
VERSION is a tricky one. If it determines the weavetools image to run when acting remotely, it will mostly fail since earlier versions aren't set up to be called remotely -- for one thing they don't have the script in the container image. If the latest weavetools image is always invoked remotely, it seems against the spirit of using VERSION in the first place, although it will do the right thing mostly, which is to use weave and weavedns images of the given version. |
|
How does a user run this? Like |
As before, the user is expected to download the weave script and call (There's also the option of driving weavetools directly with the docker CLI, but that needs you to get a bunch of docker options exactly right) |
squaremo
force-pushed
the
remote_weaving
branch
2 times, most recently
from
522aa2a to
4a28f4c
Compare
I am trying to figure out what we want to happen, and I think it's this: If the invoked weave script has a version, or is given a version, it should try to call that remotely; this means
A problem is that if you want to remote control a version 0.8 weave, it'll fail because weavetools v0.8 doesn't have the weave script and therefore cannot be called remotely. This could be worked around by breaking with the name |
|
Making remoting work with old weaves is a nice-to-have at best. |
|
This is ready for another go-round. I'm going to test the release procedure, since I've changed the image name and so on. |
Oh except now you merged #387, I'll have to rebase. |
squaremo
force-pushed
the
remote_weaving
branch
from
8e38179 to
e62b3b2
Compare
Rebased. Ready for another look. |
| EXEC_IMAGE=$BASE_EXEC_IMAGE:$IMAGE_VERSION | ||
|
|
||
| exec_remote() { | ||
| docker run --rm \ |
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
squaremo
force-pushed
the
remote_weaving
branch
from
e62b3b2 to
e504a75
Compare
This rearrangement means that the `weave` command can be used remotely; and, as a side-effect, the script that does all the work is using executables in its own filesystem, rather than invoking them via docker. The remote weavetools is given a terminal so it can be interrupted. With the flag `--local`, the script will assume all its dependencies are available and run then and there. Without the flag, it will run via the weavetools image (adding the flag to the invocation). A choice here is whether to base the tools image on scratch and add all the deps, or base it on something else. I've used alpine linux, which itself is based on busybox. This gives us the usual tools (sed etc.) while keeping the image size small. Adding the docker binary adds substantially to the image size, but it cannot always be e.g., bind-mounted. To mitigate this image bloat, we might build or otherwise get a client-only docker executable, or write a special-purpose client, or indeed rewrite the driver script and use a client library. This also makes the dockerhub user part of the image names parameterised, to make it easier to test the release process in full.
`apk-install` is a script that runs apk then tidies up. The problem is that it doesn't exit with an error if the install fails, which means that if some packages are unavailable at the time of building, it will still all go ahead.
This is to make a visible break with previous releases, such that a newly downloaded weave script will definitely work. Without this change in name, an existing weavetools image that doesn't include the script might be invoked, resulting in a confusing message for the user.
squaremo
force-pushed
the
remote_weaving
branch
from
cf644e6 to
3c5570c
Compare
As noted in weaveworks#388 comment 76958961, we need the docker client to be as old as possible while supporting what weave needs to do. At the minute that means version 1.3.1. The `apk` package index does not have old versions of docker, so the most direct way of getting a docker executable is to download the specific version from https://get.docker.com.
The way I've changed the script to use the "local" docker for |
| run_on $HOST mkdir -p `dirname $WEAVE` | ||
| cat ../weave | run_on $HOST sh -c "cat > $WEAVE" | ||
| docker_on $HOST load -i ../weaveexec.tar | ||
| cp ../weave ./ |
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
|
rest looks good. |
The form of `docker -e` without an equals sign passes them along from the environment without the value appearing in the command.
| exit $? | ||
| fi | ||
|
|
||
| [ $(id -u) = 0 ] || [ "$1" = "run" ] || { |
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
We want to be compatible with whatever docker the user has; `weave run` is the only command that passes on arbitrary args to docker (i.e., that doesn't have a fixed set of docker features that it needs). To make this workable we still need to do some things on the remote host: the IP attachment and figuring out the DNS settings (since those may depend on the bridge IP).
As noted in weaveworks#388 comment 76958961, we need the docker client to be as old as possible while supporting what weave needs to do. At the minute that means version 1.3.1. The `apk` package index does not have old versions of docker, so the most direct way of getting a docker executable is to download the specific version from https://get.docker.com.
squaremo
force-pushed
the
remote_weaving
branch
from
3c5570c to
520c54f
Compare
Move weave script into tools image with its deps and thus enable weaving on a remote docker Closes #312.
This rearrangement means that the
weavecommand can be usedremotely; and, as a side-effect, the script that does all the work is
using executables in its own filesystem, rather than invoking them via
docker.
A choice here is whether to base the tools image on scratch and add
all the deps, or base it on something else. I've used alpine linux,
which itself is based on busybox. This gives us the usual tools (sed
etc.) while keeping the image size small.
Adding the docker binary adds substantially to the image size, but it
cannot always be e.g., bind-mounted. To mitigate this image bloat, we
might build or otherwise get a client-only docker executable, or write
a special-purpose client, or indeed rewrite the driver script and use
a client library.
Closes #312, improves on #321