Only include ports in one container in Kube YAML #3417
Conversation
This likely broke when we made containers able to detect that they shared a network namespace and grab ports from the dependency container - prior to that, we could grab ports without concern for conflict, only the infra container had them. Now, all containers in a pod will return the same ports, so we have to work around this. Fixes containers#3408 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mheon The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
approved
|
Nice easy fix. |
|
Don't want to be picky, but doesn't it break portability of generated yaml to k8s environment? Assuming there will be no infra container on k8s it means that pod yaml won't expose any ports. |
|
While writing a test, I realized that all the |
|
@Fodoj We actually take the ports from the infra container and stick them on the first container in the generated output, so even if there is no infra container, we should be good. |
|
@mheon correct me if I am wrong, but then if I have two containers A and B, A has something running on port 1234, B on 4567. Then YAML exposes both ports on container A, but not container B, meaning that B:4567 can't be reached when connecting to the port, and A:4567 is useless, as nothing is running on this port inside A. Of course if 4567 is "exposed" in the container image behind container B, then it probably won't be an issue, but still generated YAML is kind of misleading (A exposes 2 ports, B exposes none via YAML definition, but exposes one as part of an image). |
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
Within Podman alone, if you're using If moving up to Kube, if you generate a service object, the ports are again forwarded to the pod, so it should work there too. The question would be importing the YAML into Kube without a service. (The ability for containers to request individual ports within a pod is coming, hopefully soon, but they'll still all be managed by the infra container - it'll just be taking the requested ports of other containers in the pod into account). |
My concern is more around that one container (the one that exposes only 1234) would have this config: ports:
- containerPort: 1234
hostPort: 1234
protocol: TCP
- containerPort: 4567
hostPort: 4567
protocol: TCPAnd another one (that exposes 4567) won't have any port configuration at all. According to Kubernetes container spec:
So even though not specifying a port wont prevent it from being exposed if container does listen on this port, YAML configuration produced by Podman would be still a bit misleading. |
We need to verify that valid YAML was produced - Marshal will just pack the generated YAML even further. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
@Fodoj can you join us on irc.freenode.net #podman to discuss? we can probably get down to an answer quicker? |
mheon
force-pushed
the
fix_play_kube_ports
branch
from
5067433
to
79d8354
Compare
|
My port-detection logic seems to be failing in the tests. Investigating... |
|
Decode is definitely failing - we're seeing 0 containers in the pod. |
mheon
force-pushed
the
fix_play_kube_ports
branch
from
390f956
to
6b0ff18
Compare
|
Throwing a hold on here - even if tests go green I want to do some more work on them. |
openshift-ci-robot
added
the
do-not-merge/hold
OutputToString() was mangling newlines, which made YAML parsers very, very angry. But not angry enough to actually error, that would be too easy. Just angry enough to silently not decode anything. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
mheon
force-pushed
the
fix_play_kube_ports
branch
from
07ebbfc
to
75c43d1
Compare
|
Alright. Tests are in a better spot. Cancelling hold |
openshift-ci-robot
removed
the
do-not-merge/hold
mheon
force-pushed
the
fix_play_kube_ports
branch
from
75c43d1
to
fceac0d
Compare
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
mheon
force-pushed
the
fix_play_kube_ports
branch
from
fceac0d
to
068d3bb
Compare
|
/lgtm |
github-actions
bot
added
the
locked - please file new issue/PR
This likely broke when we made containers able to detect that they shared a network namespace and grab ports from the dependency container - prior to that, we could grab ports without concern for conflict, only the infra container had them. Now, all containers in a pod will return the same ports, so we have to work around this.
Fixes #3408
Still needs a test, writing one now.