Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

As an admin, I want to enable fuse overlay storage driver for all workspaces #22809

Closed
dkwon17 opened this issue Feb 7, 2024 · 4 comments
Closed

As an admin, I want to enable fuse overlay storage driver for all workspaces #22809

dkwon17 opened this issue Feb 7, 2024 · 4 comments
Assignees
@dkwon17
Labels
area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator area/udi Issues and PRs related to the universal developer image https://github.com/devfile/developer-images kind/enhancement A feature request - must adhere to the feature request template. severity/P1 Has a major impact to usage or development of the system. team/A This team is responsible for the Che Operator and all its operands as well as chectl and Hosted Che

Comments

@dkwon17
Copy link
Contributor

dkwon17 commented Feb 7, 2024
edited
Loading

Is your enhancement related to a problem? Please describe

As an admin, I want to enable fuse overlay storage driver for Podman in all workspaces by setting a field in the CheCluster CR.

Describe the solution you'd like

For example:

spec:
  devEnvironments:
    disableFuseOverlay: true/false

For using the fuse overlay storage driver for Podman in workspaces, we need:

  1. The OpenShift cluster's CRI-O engine should allow pods to access the /dev/fuse device.

    • For OpenShift < 4.15, a MachineConfig needs to be created to edit a CRI-O config file to enable this. (See blog post)

  2. Workspaces must have the io.kubernetes.crio-o.Devices: "/dev/fuse" annotation in order to access /dev/fuse

    • For OpenShift < 4.15, an additional annotation is needed. (See blog post)

  3. For images based on UDI, Podman storage driver must be set to overlay

[storage]
- driver = "vfs"
+ driver = "overlay"

+ [storage.options.overlay]
+ mount_program="/usr/bin/fuse-overlayfs"

Describe alternatives you've considered

No response

Additional context

No response
@dkwon17 dkwon17 added kind/enhancement A feature request - must adhere to the feature request template. severity/P1 Has a major impact to usage or development of the system. labels Feb 7, 2024
@svor svor added team/A This team is responsible for the Che Operator and all its operands as well as chectl and Hosted Che area/udi Issues and PRs related to the universal developer image https://github.com/devfile/developer-images area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator labels Feb 8, 2024
@ibuziuk ibuziuk moved this to 📅 Planned in Eclipse Che Team A Backlog Feb 16, 2024
@dkwon17
Copy link
Contributor Author

dkwon17 commented Mar 7, 2024

To enable fuse for a workspace, there are three requirements:

  1. For OpenShift versions older than 4.15, the administrator has enabled /dev/fuse access on the cluster by following Configuring fuse-overlayfs
  2. The storage.conf file in the workspace container has been configured to use fuse-overlayfs. See Enabling fuse-overlayfs with a Configmap.
  3. The workspace has the necessary annotations for using the /dev/fuse device. See Accessing /dev/fuse from a workspace.

For this feature I believe we can assume that the admin has already completed the first requirement.

The idea I have for how this feature can be implemented is:

If spec.devEnvironments.disableFuseOverlay = false, have the che-operator create this configmap in the Eclipse Che namespace to mount the new storage.conf file to all user workspaces:

kind: ConfigMap
apiVersion: v1
metadata:
  name: overlayfs-storageconf
  namespace: eclipse-che
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: workspaces-config
  annotations:
    controller.devfile.io/mount-as: file
    controller.devfile.io/mount-path: /home/user/.config/containers
data:
  storage.conf: |
    [storage]
    driver = "overlay"

    [storage.options.overlay]
    mount_program="/usr/bin/fuse-overlayfs"

This configmap satisfies the second requirement.

There is no easy way at the moment to satisfy the third requirement, because there is no easy way for an admin specify necessary spec.template.attributes for all workspaces in the cluster.

A possible solution would be to introduce a field in the DWOC for adding annotations (or maybe even pod or container overrides) for all workspaces, and have che-operator edit the DWOC (similar to what's happening in dev_workspace_config.go.

Any thoughts @AObuchow @tolusha @ibuziuk ?

@tolusha
Copy link
Contributor

tolusha commented Mar 8, 2024

Having this feature [1], admin is able to mount storage.conf for all users workspaces.
Maybe we can mention this in the doc only.

[1] https://eclipse.dev/che/docs/stable/administration-guide/configuring-a-user-namespace/

@ibuziuk ibuziuk moved this to 📅 Planned in Eclipse Che Team A Backlog Apr 24, 2024
@dkwon17 dkwon17 moved this from 📅 Planned to 🚧 In Progress in Eclipse Che Team A Backlog Jun 4, 2024
@dkwon17 dkwon17 mentioned this issue Jun 4, 2024
Closed
@dkwon17
Copy link
Contributor Author

dkwon17 commented Jun 19, 2024

@tolusha

Sounds good, I think it makes most sense for the admin to create the configmap for tor the storage.conf file.

So, to enable fuse for all workspaces, instead of introducing:

spec:
  devEnvironments:
    disableFuseOverlay: true/false

we can introduce:

spec:
  devEnvironments:
    annotations: (extra annotations for all workspaces)

And document that the admin must create the storage.conf configmap and set:

spec.devEnvironments.annotations = ["io.kubernetes.crio-o.Devices: "/dev/fuse"]

This method would allow admins to make additional changes to storage.conf if needed, by just editing the configmap

@dkwon17 dkwon17 mentioned this issue Jun 19, 2024
Merged
10 tasks
@ibuziuk ibuziuk moved this from 🚧 In Progress to Ready for Review in Eclipse Che Team A Backlog Jun 25, 2024
@dkwon17 dkwon17 mentioned this issue Jun 25, 2024
Merged
5 tasks
@ibuziuk
Copy link
Member

ibuziuk commented Jul 3, 2024

Closing since it is in 7.88.0 RN and I believe all PRs have been merged

@ibuziuk ibuziuk closed this as completed Jul 3, 2024
@ibuziuk ibuziuk moved this to ✅ Done in Eclipse Che Team A Backlog Jul 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dkwon17 dkwon17

Labels
area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator area/udi Issues and PRs related to the universal developer image https://github.com/devfile/developer-images kind/enhancement A feature request - must adhere to the feature request template. severity/P1 Has a major impact to usage or development of the system. team/A This team is responsible for the Che Operator and all its operands as well as chectl and Hosted Che
Projects
Eclipse Che Team A Backlog
Status: ✅ Done
Milestone
No milestone
Development

No branches or pull requests
4 participants
@svor @ibuziuk @tolusha @dkwon17