Add a driver for rkt

[achanda]

• Adds a driver for rkt
• Adds associated tests

[ryanuber]

Awesome! Thanks @achanda. Would it be possible to use the native Go rkt interface here? I'm not familiar with it myself but it thinking it will be more resilient than using the CLI.

[achanda]

@ryanuber ah, I was looking for something like that. Thanks for the pointer. Let me look around.

[catsby]

Should this be acmd? It's using the cmd from line 92 above, where we invoke rkt trust

[achanda]

Thanks, fixed.

[catsby]

Thanks for the contribution! Let us know what you find out about the rkt interface Ryan mentioned

[achanda]

@ryanuber @catsby I had a chat with the rkt guys. While they are working on a way to provide read only info (image etc.), there are no plans to drive rkt through an API. What makes that more difficult is that rkt does not run a daemon in the background. Kubernetes uses rkt in a similar way as this PR. I took a look at their code and noticed that they are spawning the binary in a similar way. However, their rkt package is too tightly integrated with kubernetes.

[ryanuber]

This should probably still be nested under the driver.rkt namespace, since appc itself isn't the driver.

[ryanuber]

@achanda thanks for looking into the client stuff! Understood, and I think this approach is fine if that's the case. I left a few minor comments but overall looking really good! Can you also add some driver documentation in the website/ directory to detail the config options, limitations, etc?

[achanda]

@ryanuber all done.

[ryanuber]

Missed this on the first pass, we set this to true in the Docker driver here. I think we should keep these uniform.

[ryanuber]

Thanks! I took a final pass and just noted a few more (super) minor things. Thanks again, looks like a merge is coming soon!

[dadgar]

I would remove this an inline it into the exec.Command.

[dadgar]

You will want to pass the logger from the Driver into the Handle. We support redirecting logs to files or other sources so this would break that it interface by using the default logger.

[achanda]

@ryanuber I changed to Start and rebased on master. These tests are passing on my box now. Please check.

[dadgar]

This one should still be Run because you don't want to do rkt run before trust has finished

[dadgar]

You will want to run something that exits to test the wait. This test just times out right now

[dadgar]

Can you also run gofmt on all of the files. They are off a little. You can do this by running make format

[ryanuber]

@achanda thanks for working through this with us! We are amped to have rkt supported in Nomad.

[achanda]

Thanks @ryanuber and all other reviewers :)

[dadgar]

@achanda: This was missed in the original review but the driver does not do resource enforcement which is part of the driver API. This poses a problem because Nomad can make no guarantee about the cpu/memory usage of the task and which ports it is using. Given your experience with rkt do you have any thoughts on improving this driver. Otherwise we may have to remove it until it can be implemented in a fashion that respects the resource constraints.

[achanda]

@dadgar CPU, memory and network isolation can be definitely be achieved using rkt. I will start working on those.

[dadgar]

@achanda: Awesome look forward to it. This was caught as we were reviewing for the Nomad 0.2 release. So to make the cut, this would need to be done by Monday, otherwise we could just disable for 0.2 and enable it in a latter version. Sorry for the short notice.

[achanda]

@dadgar ok, let me see what I can do.

[achanda]

@dadgar here is what I found, since the rkt CLI does not accept CPU and memory restrictions directly, the easiest way to achieve this will be using systemd-run, which will add another dependency. I am not familiar with the --pod-manifest flag, that can work but will need more effort than I can manage by Monday. Another way of doing this will be to add these options to the rkt CLI itself, but that won't work in a few days. Please let me know if we want to run rkt via systemd, otherwise the only option might be to remove this driver for now.

[dadgar]

@achanda: The system-d run solution is not quite enough. That provides CPU/Memory isolation but it doesn't fix port allocations. Whatever is in the manifest is what will be used. That needs to be fixed as well. My opinion is these really should be adjustable during rkt run similar to docker.

So we discussed it and we are going to leave the driver in for 0.2 but update the documentation to mark it as experimental. This allows the driver to be improved as changes to the rkt ecosystem occur.

[github-actions]

I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.