Add toolbox script for RHCOS #44
Conversation
|
Added WIP for a some considerations:
PTAL @ashcrow @dm0- @dustymabe @lucab , thanks! |
|
I think that came initially from @dm0-, and he may have a better view on the desired UX. From my side, I think we have a few possible approaches:
I don't have a strong opinion on this, but I think I'd currently rank them 1 - 3 - 2. |
rhcos-toolbox
Outdated
| container_exec() { | ||
| sudo podman exec \ | ||
| --env LANG=$LANG \ | ||
| --env TERM=$TERM \ |
There was a problem hiding this comment.
I think that here (and in many other places in this script), you are missing quotes around variables.
@yuqi-zhang if you're cool with it let's run with this addition. |
|
Thanks for the feedback! I'm fixing it up right now. There's also an issue I'm investigating where the container works fine for the first couple of runs, then becomes VERY slow when invoking the script after awhile (podman/systemd etc. takes up 100% of CPU for ~10 seconds before spawning the container). Edit: its a mount issue, fixing. |
yuqi-zhang
force-pushed
the
rhcos-toolbox
branch
3 times, most recently
from
d59e3d4 to
deb4860
Compare
yuqi-zhang
changed the title
|
Removed WIP as the comments have been addressed. |
|
@yuqi-zhang great work on this. My only gripe from my first pass using this is there's no feedback during the pull. rkt does a great job of showing the pull progress in the original version of this script. One option could be to remove ">/dev/null 2>&1;" in the container create function. If you remove the existing container & fedora image on your system w/o piping this to dev/null I think it's a better experience. Thoughts? |
|
Note that this work resolves openshift/os#78 |
|
podman-related question: this currently does two steps (create + exec) which means there a whole story of ID tracking and GC. Would it be possible to instead have a single volatile interactive container, which is cleaned up on exit? |
|
@mrguitar Good point, I'll remove some of the piping. @lucab In terms of ID tracking, generally there should be only 1 toolbox at any given time, so it can just be referred to by name as The creation/exec can be bundled together, BUT this would mean that every time a user exits the container it gets |
|
In CL, changes in the container filesystem "needed" to be persistent across toolbox runs. That was a requirement that prevented us from changing off nspawn. The existing toolbox script keeps a different container for each user by default (although it was a configurable path so one user could have several), but I am not sure how hard of a requirement that was. Maybe the default |
Add rhcos-toolbox and corresponding specfile for building wtih rdgo. rhcos-toolbox is a script that makes use of podman to create a privileged debug/admin container, with ability to handle user defined commands and variables. Modify README to reflect the change. Signed-off-by: Yu Qi Zhang <[email protected]>
yuqi-zhang
force-pushed
the
rhcos-toolbox
branch
from
deb4860 to
598df78
Compare
|
Then I think it makes sense to keep the filesystem persistent for the RHCOS toolbox, unless there is a reason not to do so. I could also add in a |
|
@dm0- was there a desire to move away from nspawn for this? I saw some chatter about switching to rkt, but it seemed like nspawn ultimately worked fine for this use case. @lucab I can see pros and cons with either volatile or persistent containers. The way it's written in the PR seems to mirror the existing behavior w/ nspawn. Besides the GC, are there others reasons you'd like it to not persist? If there are enough reasons, it might be worth making it configurable. |
|
@mrguitar There was an attempt to move to rkt at one point (coreos/bugs#1610), but yes, it looks like everyone felt that nspawn was good enough. |
|
@mrguitar I'd prefer not to make it configurable, we are already three levels of wrappers apart from the real execve and I'd like not to grow this into a full-blown container runtime. I naively assumed it was fine and cleaner to purge resources once a debugging session was done, but I missed that some usecase may indeed benefit from retaining those across session. So I'm fine with sticking to the current approach, sorry for the diversion. |
|
+100 on keeping the scope small and not making another full blown runtime here. :) |
Add a registry login option upon failing a pull. Add example registry.redhat.io toolboxrc format. Signed-off-by: Yu Qi Zhang <[email protected]>
|
Testing shows no conflict with kubelet on a RHCOS cluster, so we're good with podman. Added extra login prompt for UX considerations for registry.redhat.io |
rhcos-toolbox
Outdated
| cleanup | ||
| } | ||
|
|
||
| if [ -z "$1" ]; then |
There was a problem hiding this comment.
This condition seems strange, like if someone calls the script with multiple arguments but an empty first argument, this will make /bin/sh try to run a file with an empty filename and fail. Maybe a condition like [ -n "$*" ] || set /bin/sh is clearer, even if it still fails overall when given an empty first argument.
rhcos-toolbox
Outdated
| read -r -n 1 -p "Would you like to authenticate to registry: '${REGISTRY}' and try again? [y/N] " | ||
| echo | ||
|
|
||
| if [[ $REPLY =~ ^[Yy]$ ]]; then |
There was a problem hiding this comment.
Maybe drop the $ anchor in case users reflexively type yes to a confirmation prompt, or also accept [Yy][Ee][Ss].
Accept y/yes for login prompt, and use cleaner detection for checking user args for command. Signed-off-by: Yu Qi Zhang <[email protected]>
|
@dm0- thanks for the suggestions! Pushed a fix. Ready to merge if you think we're good to go. |
|
Oh, sorry, I missed the |
Add rhcos-toolbox and corresponding specfile for building wtih rdgo.
rhcos-toolbox is a script that makes use of podman to create a
privileged debug/admin container, with ability to handle user
defined commands and variables. Modify README to reflect the change.