enable build pods to tolerate running on crio while talking to docker

[bparees]

No description provided.

[openshift-merge-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bparees

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

• OWNERS [bparees]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[bparees]

@mrunalp @openshift/devex ptal

the s2i vendor changes will be replaced with a bump commit shortly.

[smarterclayton]

This is going to fail when we turn on shared pid namespace, isn't it?

[bparees]

no idea. will containers no longer have their own /proc filesystem with their own pid 1 at that point?

[mrunalp]

Yeah, this won't work with pid namespace sharing. Cleaner way is using crio inspect endpoint but hopefully, we can move away from docker before we have to do that.

[smarterclayton]

Wow... that's hacky.

[bparees]

and, let me emphasize, temporary until we move to pure crio support, however long that takes.

[mrunalp]

Cleaner way for getting pid as well as resolv path is from crio inspect endpoint but we didn't want that.. and yes this doesn't work with pid namespaces but hopefully we can migrate away from docker for builds by then or switch to using crio inspect endpoint.

[smarterclayton]

This stuff needs to go into its own package. It's getting pretty ugly in here. These aren't build utils, they're build environment / os coupling.

[bparees]

do you really want to encourage other people to consume this stuff? again it should all go away in the future.

[smarterclayton]

If I can inject : into the resolve conf host path, can I break this?

[bparees]

it'll break, i don't know that it'll get you anywhere.

if you can inject some quotes and a comma along with the colon you could presumably do pretty interesting things in terms of bindmounting host content into your build container.

I'm not sure how a user would have any control over that path though.

Regardless, we can certainly audit/strip those characters from the resolvConfHostPath.

[smarterclayton]

It would be a lot better if this is an interface passed into docker builder, and none of this code had any idea of what this stuff was.

[bparees]

what exactly are you proposing be an interface? A ContainerNetworkModeGetter interface?

[bparees]

/retest

[bparees]

/retest

[runcom]

/test crio

[bparees]

/retest

[runcom]

/test crio

[mrunalp]

Should there be a check to add this only if the socket source path exists?

[bparees]

I didn't see a good way to do that(after all this logic is running in a controller that doesn't know anything about the target node for the build pod) and it doesn't do any harm to do the mount even if the source path doesn't exist.

[mrunalp]

So, the controller doesn't add the mount to the pod if it can't find the source? If the mount is passed down to the runc config.json, it will fail to start the container if it can't find the source.

[bparees]

the controller adds the mount. if runc is the container engine, then the source will be there.

and docker seemingly does not care if it does not exist, because this is working when i run using docker as the container engine.

[bparees]

@mrunalp comments addressed

[mrunalp]

LGTM

[bparees]

(3) [online-crio] Build toleration for CRI-O/Docker hybrid mode

[bparees]

/retest

[openshift-ci-robot]

@bparees: The following test failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
ci/openshift-jenkins/extended_conformance_crio	d94ceaf	link	/test crio

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[bparees]

/retest

[openshift-merge-robot]

Automatic merge from submit-queue

[smarterclayton]

I can't find any reference to buildbinds in projectatomic/docker - where is the code that actually implements that located?

[smarterclayton]

Also, why did we expand the docker api?

[bparees]

docker build -v provides this on the cli, I don't remember what the issue was w/ the docker api itself not exposing it (or how docker build handles it if the api doesn't provide it)

[smarterclayton]

It does not. Not on regular docker.

…

On Sun, Feb 25, 2018 at 3:32 PM, Ben Parees ***@***.***> wrote: docker build -v provides this on the cli, I don't remember what the issue was w/ the docker api itself not exposing it (or how docker build handles it if the api doesn't provide it) — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#16491 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABG_p5sPcab3cagZ9Ng6Prqu9E1xDMEmks5tYcNXgaJpZM4Pf0g_> .

[bparees]

It does not. Not on regular docker.

you mean "docker build -v" isn't even an option in regular docker?

[smarterclayton]

Correct

…

On Sun, Feb 25, 2018 at 11:30 PM, Ben Parees ***@***.***> wrote: It does not. Not on regular docker. you mean "docker build -v" isn't even an option in regular docker? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#16491 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABG_p5jkqjvPgN6TcbdqE7iayJHvGRRNks5tYjN_gaJpZM4Pf0g_> .

[runcom]

It's not indeed, we've added that long time ago @rhatdan

[bparees]

guessing it got added as a "might as well" when the logic was being added to bindmount subscription secrets into the build container.

[smarterclayton]

Where's the implementation for this? I can't find it in projectatomic/docker for some reason.

[runcom]

It's in branches 1.12.6, 1.13.1

[smarterclayton]

I see ImageBuildOptions having "binds". It doesn't have "buildbinds".

…

On Tue, Feb 27, 2018 at 3:37 AM, Antonio Murdaca ***@***.***> wrote: It's in branches 1.12.6, 1.13.1 — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#16491 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABG_pw-cxR3mbNRo0ThAqLDY1LgSRhx_ks5tY76ygaJpZM4Pf0g_> .

[runcom]

"buildbinds" comes from the patched library, I think it's just the struct in the go client library, not in projectatomic/docker, That is translated to json as "buildbinds"

api/server/router/build/build_routes.go
97:     var buildBinds = []string{}
98:     buildBindsJSON := r.FormValue("buildbinds")
99:     if buildBindsJSON != "" {
100:            if err := json.NewDecoder(strings.NewReader(buildBindsJSON)).Decode(&buildBinds); err != nil {
103:            options.Binds = buildBinds