oc cluster up in user namespace mode: unbreak available ports check #14169
Conversation
| return false, err | ||
| } | ||
| for _, val := range info.SecurityOptions { | ||
| if val == "name=userns" { |
There was a problem hiding this comment.
This check depends on the format of SecurityOptions and could be broken by updates in Docker but I think that I couldn't do anything better than this. Using strings.Contains() won't make this check better IMHO.
pkg/bootstrap/docker/run/run.go
Outdated
| @@ -112,7 +125,11 @@ func (h *Runner) Env(env ...string) *Runner { | |||
|
|
|||
| // Privileged tells Docker to run the container as privileged | |||
| func (h *Runner) Privileged() *Runner { | |||
There was a problem hiding this comment.
Privileged option doesn't work in user namespace mode, so I'm emulating it's behavior. Because signature of Privileged hasn't changed, we don't need to update existing code.
There was a problem hiding this comment.
privileged + host user namespace combo works. It may be safe here that if this method is called always call HostUserns. Not setting h.hostConfig.Privileged is going to result in different behavior so it should still be set.
There was a problem hiding this comment.
I remember that Docker doesn't allow --privileged option so I thought that API also doesn't accept it. Ok, I'll try it on Monday.
There was a problem hiding this comment.
Thanks! I've updated the code accordingly.
pkg/bootstrap/docker/up.go
Outdated
| @@ -714,14 +714,19 @@ func (c *ClientStartConfig) EnsureDefaultRedirectURIs(out io.Writer) error { | |||
|
|
|||
| // CheckAvailablePorts ensures that ports used by OpenShift are available on the Docker host | |||
| func (c *CommonStartConfig) CheckAvailablePorts(out io.Writer) error { | |||
| userNamespace, err := c.DockerHelper().UserNamespaceEnabled() | |||
There was a problem hiding this comment.
Initial idea was to invoke this function during helpers creation but in this case we couldn't report about possible error. The only way that I found is to invoke it from CheckAvailablePorts(). That's why signature of TestPorts() has been modified.
There was a problem hiding this comment.
Why not ? (report about possible error)
If an error is returned by the docker info call, then cluster up should terminate. You can pass a dockerhelper to the NewRunHelper function.
There was a problem hiding this comment.
I think it's less robust if you rely on the caller/client to figure out if you have user namespaces turned on.
There was a problem hiding this comment.
The comments were addressed. PTAL.
pkg/bootstrap/docker/run/run.go
Outdated
| @@ -46,6 +47,12 @@ func (h *Runner) Name(name string) *Runner { | |||
| return h | |||
| } | |||
|
|
|||
| // UserNamespace sets user namespace mode flag that affects behavior of other options. | |||
There was a problem hiding this comment.
I would like to make this part of the constructor for this helper (NewRunHelper). I don't think we should rely on the client to set it to the proper value.
pkg/bootstrap/docker/up.go
Outdated
| @@ -714,14 +714,19 @@ func (c *ClientStartConfig) EnsureDefaultRedirectURIs(out io.Writer) error { | |||
|
|
|||
| // CheckAvailablePorts ensures that ports used by OpenShift are available on the Docker host | |||
| func (c *CommonStartConfig) CheckAvailablePorts(out io.Writer) error { | |||
| userNamespace, err := c.DockerHelper().UserNamespaceEnabled() | |||
There was a problem hiding this comment.
Why not ? (report about possible error)
If an error is returned by the docker info call, then cluster up should terminate. You can pass a dockerhelper to the NewRunHelper function.
pkg/bootstrap/docker/up.go
Outdated
| @@ -714,14 +714,19 @@ func (c *ClientStartConfig) EnsureDefaultRedirectURIs(out io.Writer) error { | |||
|
|
|||
| // CheckAvailablePorts ensures that ports used by OpenShift are available on the Docker host | |||
| func (c *CommonStartConfig) CheckAvailablePorts(out io.Writer) error { | |||
| userNamespace, err := c.DockerHelper().UserNamespaceEnabled() | |||
There was a problem hiding this comment.
I think it's less robust if you rely on the caller/client to figure out if you have user namespaces turned on.
php-coder
force-pushed
the
oc_cluster_up_and_ports_in_userns_env
branch
2 times, most recently
from
eb35c3f to
c8553a2
Compare
pkg/bootstrap/docker/run/run.go
Outdated
| if err != nil { | ||
| return "", "", 0, err | ||
| } else if userNsMode { | ||
| h.hostConfig.Privileged = false |
There was a problem hiding this comment.
Why set this false? If the client has called Privileged on this Runner, then UserNsMode would be set to "host", which would work with Privileged set to true, right?
Actually I would get rid of the HostUserns method introduced above and instead, check here if Privileged is set, then if it is, then set h.hostConfig.UsernsMode to "host". Otherwise, leave it alone.
I would think you don't want to set hostConfig.UsernsMode to host if user namespaces is not abled.
There was a problem hiding this comment.
Why set this false?
Because privileged option can't be used in user namespace mode (see the error message in the original issue: Privileged mode is incompatible with user namespaces).
check here if Privileged is set
Yes, thanks. I'll update this condition tomorrow.
There was a problem hiding this comment.
Condition has been updated. PTAL.
php-coder
force-pushed
the
oc_cluster_up_and_ports_in_userns_env
branch
2 times, most recently
from
21e9a01 to
378d20e
Compare
|
The cluster up part LGTM |
|
It'd be good for someone who works on rebases like @deads2k to make sure that updating the fsouza client won't cause any issues. |
…n user namespace mode.
php-coder
force-pushed
the
oc_cluster_up_and_ports_in_userns_env
branch
from
378d20e to
d84c262
Compare
|
@csrwng I've moved code for adjusting |
|
thx, still LGTM |
make sure the levels match between kube master and this. |
@deads2k which levels? Do you mean versions? |
Yeah, kube and origin should agree on the commit SHA to use in order to make the rebase reasonable (or sometimes even possible). |
As I can see Kubernetes doesn't have |
|
@bparees is there a card about getting rid of fsouza client? |
|
but we now maintain a separate vendored copy of fsouza in pkg/build/vendor so we can run at a different level than the rest of origin. |
Unfortunately |
|
What is the outcome? Could we merge it now? If not then when? In the beginning of the next release? |
|
@php-coder the code looks good to me, but would like confirmation that it's ok to update the fsouza docker client. /cc @smarterclayton |
@smarterclayton Ping |
|
LGTM [merge] |
|
[merge] |
|
Evaluated for origin merge up to d84c262 |
|
[Test]ing while waiting on the merge queue |
|
Evaluated for origin test up to d84c262 |
|
continuous-integration/openshift-jenkins/test FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/2020/) (Base Commit: ba62cde) |
|
test flake #14385 |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_request_origin/932/) (Base Commit: 4b98e27) (Image: devenv-rhel7_6333) |
In order to have access to
HostConfig.Usernsfield, I have to update version of go-dockerclient.PTAL @csrwng @bparees
CC @mfojtik @pweil-
Addressed to #12643