sysroot: Rework /var handling to act like Docker VOLUME /var
#3166
Conversation
|
Skipping CI for Draft Pull Request. |
cgwalters
force-pushed
the
var-again
branch
2 times, most recently
from
428b823
to
ab06743
Compare
|
/test all |
This is intended to pair with ostreedev/ostree#3166 If we detect a new enough ostree version, then by default don't remap content in `/var`, assuming that ostree itself will handle it. In order to unit test this (without depending on the ostree version that happens to be on the host) add an API to the importer which allows overriding the version.
We've long struggled with semantics for `/var`. Our stance of "/var should start out empty and be managed by the OS" is a strict one, that pushes things closer to the original systemd upstream ideal of the "OS state is in /usr". However...well, a few things. First, we had some legacy bits here which were always populating the deployment `/var`. I don't think we need that if systemd is in use, so detect if the tree has `usr/lib/tmpfiles.d`, and don't create that stuff at `ostree admin stateroot-init` time if so. Building on that then, we have the stateroot `var` starting out actually empty. When we do a deployment, if the stateroot `var` is empty, make a copy (reflink if possible of course) of the commit's `/var` into it. This matches the semantics that Docker created with volumes, and this is sufficiently simple and easy to explain that I think it's closer to the right thing to do. Crucially...it's just really handy to have some pre-existing directories in `/var` in container images, because Docker (and podman/kube/etc) don't run systemd and hence don't run `tmpfiles.d` on startup. I really hit on the fact that we need `/var/tmp` in our container images by default for example. So there's still some overlap here with e.g. `/usr/lib/tmpfiles.d/var.conf` as shipped by systemd, but that's fine - they don't actually conflict per se.
|
OK yep, I've tested this more "end-to-end" in combination with ostreedev/ostree-rs-ext#602 and things work well. |
This is intended to pair with ostreedev/ostree#3166 If we detect a new enough ostree version, then by default don't remap content in `/var`, assuming that ostree itself will handle it. In order to unit test this (without depending on the ostree version that happens to be on the host) add an API to the importer which allows overriding the version.
|
One thing I was thinking about here is how this interacts with people who want to do a separate Looking at the current anaconda logic (assuming tasks aren't being run in parallel) then it looks like what happens is that the deploy task combines the stateroot-init with a deployment - and that's when we copy the container And at this point, there's no mount point there. It's only after that that the mount point task runs - this is basically reimplementing the logic from So in order to properly get the commit/container-image Move data out of stateroot
|
|
So if I understand this correctly, this behaves like the At installation time, it will copy What happens on updates? If we're moving away from the factory option, shouldn't we completely remove all traces of it to remove confusion? |
The default is that ostree will see that However, note this aligns with "factory reset" semantics; one can do a flow of |
This is tricky. There's two problems being fixed here. The first is that I discovered belatedly that The second is that In theory something else could have started to rely on ostree including the tmpfiles.d rule for But yes...perhaps we should just remove it. Yeah, I will do a PR. |
|
BTW, one thing I realized this doesn't handle is that anyone doing |
OK, split that into #3222. |
We've long struggled with semantics for
/var. Our stance of "/var should start out empty and be managed by the OS" is a strict one, that pushes things closer to the original systemd upstream ideal of the "OS state is in /usr".However...well, a few things. First, we had some legacy bits here which were always populating the deployment
/var. I don't think we need that if systemd is in use, so detect if the tree hasusr/lib/tmpfiles.d, and don't create that stuff atostree admin stateroot-inittime if so.Building on that then, we have the stateroot
varstarting out actually empty.When we do a deployment, if the stateroot
varis empty, make a copy (reflink if possible of course) of the commit's/varinto it.This matches the semantics that Docker created with volumes, and this is sufficiently simple and easy to explain that I think it's closer to the right thing to do.
Crucially...it's just really handy to have some pre-existing directories in
/varin container images, because Docker (and podman/kube/etc) don't run systemd and hence don't runtmpfiles.don startup.I really hit on the fact that we need
/var/tmpin our container images by default for example.So there's still some overlap here with e.g.
/usr/lib/tmpfiles.d/var.confas shipped by systemd, but that's fine - they don't actually conflict per se.