Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

*: use podman instead of docker #207

Merged
merged 1 commit into from
Sep 11, 2018
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,9 @@ These instructions can be used for AWS:
bazel build tarball
```

*Note*: the project can optionally be built without installing Bazel, provided Docker is installed:
*Note*: the project can optionally be built without installing Bazel, provided Podman is installed:
```sh
docker run --rm -v $PWD:$PWD:Z -w $PWD quay.io/coreos/tectonic-builder:bazel-v0.3 bazel --output_base=.cache build tarball
podman run --rm -v $PWD:$PWD:Z -w $PWD quay.io/coreos/tectonic-builder:bazel-v0.3 bazel --output_base=.cache build tarball
```

3. Extract the tarball
Expand Down
2 changes: 1 addition & 1 deletion hack/go-fmt.sh
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ if [ "$IS_CONTAINER" != "" ]; then
done
git diff --exit-code
else
docker run --rm \
podman run --rm \
--env IS_CONTAINER=TRUE \
--volume "${PWD}:/go/src/github.com/openshift/installer:z" \
--workdir /go/src/github.com/openshift/installer \
Expand Down
2 changes: 1 addition & 1 deletion hack/go-lint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
if [ "$IS_CONTAINER" != "" ]; then
golint -set_exit_status "${@}"
else
docker run --rm \
podman run --rm \
--env IS_CONTAINER=TRUE \
--volume "${PWD}:/go/src/github.com/openshift/installer:z" \
--workdir /go/src/github.com/openshift/installer \
Expand Down
2 changes: 1 addition & 1 deletion hack/go-vet.sh
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
if [ "$IS_CONTAINER" != "" ]; then
go vet "${@}"
else
docker run --rm \
podman run --rm \
--env IS_CONTAINER=TRUE \
--volume "${PWD}:/go/src/github.com/openshift/installer:z" \
--workdir /go/src/github.com/openshift/installer \
Expand Down
2 changes: 1 addition & 1 deletion hack/shellcheck.sh
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ if [ "$IS_CONTAINER" != "" ]; then
-o -path "${TOP_DIR}/.build" -prune \
-o -type f -name '*.sh' -exec shellcheck --format=gcc {} \+
else
docker run --rm \
podman run --rm \
--env IS_CONTAINER=TRUE \
--volume "${PWD}:/workdir:ro,z" \
--entrypoint sh \
Expand Down
2 changes: 1 addition & 1 deletion hack/test-bazel-build-tarball.sh
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ if [ "$IS_CONTAINER" != "" ]; then
set -x
bazel --output_base=/tmp build "$@" tarball
else
docker run --rm \
podman run --rm \
--env IS_CONTAINER=TRUE \
--volume "${PWD}:${PWD}:z" \
--workdir "${PWD}" \
Expand Down
4 changes: 2 additions & 2 deletions hack/tf-fmt.sh
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
#!/bin/sh

# in prow, already in container, so no 'docker run'
# in prow, already in container, so no 'podman run'
if [ "$IS_CONTAINER" != "" ]; then
set -x
/terraform fmt -list -check -write=false
else
docker run --rm \
podman run --rm \
--env IS_CONTAINER=TRUE \
--volume "${PWD}:${PWD}:ro,z" \
--workdir "${PWD}" \
Expand Down
2 changes: 1 addition & 1 deletion hack/tf-lint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
if [ "$IS_CONTAINER" != "" ]; then
tflint
else
docker run --rm \
podman run --rm \
--env IS_CONTAINER=TRUE \
--volume "${PWD}:/data:z" \
--entrypoint sh \
Expand Down
2 changes: 1 addition & 1 deletion hack/yaml-lint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
if [ "$IS_CONTAINER" != "" ]; then
yamllint --config-data "{extends: default, rules: {line-length: {level: warning, max: 120}}}" ./examples/ ./installer/
else
docker run --rm \
podman run --rm \
--env IS_CONTAINER=TRUE \
--volume "${PWD}:/workdir:z" \
--entrypoint sh \
Expand Down
6 changes: 1 addition & 5 deletions modules/bootkube/resources/bootkube.service
Original file line number Diff line number Diff line change
Expand Up @@ -2,16 +2,12 @@
Description=Bootstrap a Kubernetes cluster
ConditionPathExists=!/opt/tectonic/init_bootkube.done
Wants=kubelet.service
Requires=docker.service
After=kubelet.service docker.service
After=kubelet.service

[Service]
Type=oneshot
RemainAfterExit=true
WorkingDirectory=/opt/tectonic

User=root
Group=root

ExecStart=/usr/bin/bash /opt/tectonic/bootkube.sh
ExecStartPost=/bin/touch /opt/tectonic/init_bootkube.done
16 changes: 8 additions & 8 deletions modules/bootkube/resources/bootkube.sh
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ set -e
echo "Rendering Kubernetes core manifests..."

# shellcheck disable=SC2154
/usr/bin/docker run \
/usr/bin/podman run \
Copy link
Member

@wking wking Sep 5, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This breaks Container Linux, no? I'll launch the smoke tests to see... [edit: @crawford already launched them :)]

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep. We'll need to remove CL support before we can merge this.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#221 is ready to go (once openshift/release#1317 merges).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ashcrow can you also update bootkube.service so that it no longer depends on docker.service?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure. Will update shortly.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⬆️

--volume "$PWD:/assets:z" \
--volume /etc/kubernetes:/etc/kubernetes:z \
"${kube_core_renderer_image}" \
Expand All @@ -14,7 +14,7 @@ echo "Rendering Kubernetes core manifests..."
echo "Rendering TNC manifests..."

# shellcheck disable=SC2154
/usr/bin/docker run \
/usr/bin/podman run \
--user 0 \
--volume "$PWD:/assets:z" \
"${tnc_operator_image}" \
Expand All @@ -29,14 +29,13 @@ cp "$PWD/tnc-bootstrap/tectonic-node-controller-config.yaml" /etc/kubernetes/tnc
# We originally wanted to run the etcd cert signer as
# a static pod, but kubelet could't remove static pod
# when API server is not up, so we have to run this as
# docker container.
# podman container.
# See https://github.com/kubernetes/kubernetes/issues/43292

echo "Starting etcd certificate signer..."

# shellcheck disable=SC2154
SIGNER=$(/usr/bin/docker run -d \
--tmpfs /tmp \
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i think this was basically for security so that the keys/cert never hit the disk

SIGNER=$(/usr/bin/podman run -d \
--volume /opt/tectonic/tls:/opt/tectonic/tls:ro,z \
--network host \
"${etcd_cert_signer_image}" \
Expand All @@ -57,8 +56,9 @@ i=0
while true; do
set +e
# shellcheck disable=SC2154,SC2086
/usr/bin/docker run \
/usr/bin/podman run \
--rm \
--network host \
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you explain why you need this?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It wasn't able to access the outside network without. I thought I heard that this was expected behavior with podman (though, I don't know where I heard that).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this should have worked....

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

podman should work fine without requiring --network=host. What version of podman were you testing with?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rhatdan podman version 0.7.3

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

podman version 0.7.3

If this is a known issue with an upstream fix, we may be able to drop this after #253 takes us up to RHCOS 4.0.5595-1 with:

$ curl -s http://aos-ostree.rhev-ci-vms.eng.rdu2.redhat.com/rhcos/images/cloud/4.0.5595-1/pkglist.txt | grep podman
 podman-0.8.5-2.gitdc5a711.el7.x86_64

Thank you openshift/os#288 :).

--name etcdctl \
--env ETCDCTL_API=3 \
--volume /opt/tectonic/tls:/opt/tectonic/tls:ro,z \
Expand Down Expand Up @@ -86,15 +86,15 @@ done

echo "etcd cluster up. Killing etcd certificate signer..."

/usr/bin/docker kill "$SIGNER"
/usr/bin/podman kill "$SIGNER"
rm /etc/kubernetes/manifests/tectonic-node-controller-pod.yaml

cp -r "$PWD/bootstrap-configs" /etc/kubernetes/bootstrap-configs

echo "Starting bootkube..."

# shellcheck disable=SC2154
/usr/bin/docker run \
/usr/bin/podman run \
--volume "$PWD:/assets:z" \
--volume /etc/kubernetes:/etc/kubernetes:z \
--network=host \
Expand Down
8 changes: 4 additions & 4 deletions scripts/maintenance/clean-aws.sh
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ usage() {
cat <<EOF

$(basename "$0") deletes AWS resources tagged with tags specified in a tag file.
Requires that 'docker' and 'jq' are installed.
Requires that 'podman' and 'jq' are installed.

AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environmental variables must be set.

Expand Down Expand Up @@ -86,7 +86,7 @@ while [ $# -gt 0 ]; do
shift
done

if ! command -V docker >/dev/null || ! command -V jq >/dev/null; then
if ! command -V podman >/dev/null || ! command -V jq >/dev/null; then
echo "Missing required dependencies" >&2
exit 1
fi
Expand Down Expand Up @@ -155,9 +155,9 @@ if [ ! $force ]; then
fi
fi

trap 'docker stop grafiti-deleter; exit' EXIT
trap 'podman stop grafiti-deleter; exit' EXIT

docker run -t --rm --name grafiti-deleter \
podman run -t --rm --name grafiti-deleter \
-v "$tmp_dir":/tmp/config:z \
-e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" \
-e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" \
Expand Down
8 changes: 4 additions & 4 deletions scripts/maintenance/tag-aws.sh
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ usage() {

$(basename "$0") tags AWS resources with 'expirationDate: some-date-string',
defaulting to tomorrow's date, and excludes all resources tagged with
tag keys/values specified in an 'exclude' file. Requires that 'docker' is
tag keys/values specified in an 'exclude' file. Requires that 'podman' is
installed.

AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environmental variables must be set.
Expand Down Expand Up @@ -101,7 +101,7 @@ while [ $# -gt 0 ]; do
shift
done

if ! command -V docker >/dev/null; then
if ! command -V podman >/dev/null; then
echo "Missing required dependencies" >&2
exit 1
fi
Expand Down Expand Up @@ -181,9 +181,9 @@ if [ ! $force ]; then
fi
fi

trap 'docker stop grafiti-tagger; exit' EXIT
trap 'podman stop grafiti-tagger; exit' EXIT

docker run -t --rm --name grafiti-tagger \
podman run -t --rm --name grafiti-tagger \
-v "$tmp_dir":/tmp/config:z \
-e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" \
-e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" \
Expand Down