Add minimal MariaDB container for WMAgent #1412
Conversation
|
Hi @todor-ivanov What version did you use to test? |
|
Hi @khurtado Yes indeed they have removed all
For local tests directly on the host I used some really old version which was closer to the current rpm based version we use - 5.5.68, but there is no official mariadb docker container uploaded in the public repositories with a version that old. You can try mariadb container 10.11instead. I just tested it and it is working properly to some later stage when it tries to create the users because we will have to parse the previously mounted |
|
@todor-ivanov Todor, I am not sure where you came from with the version 5.5.68, but we have been using version 10.6.5 for 3 years now: https://github.com/cms-sw/cmsdist/blob/comp_gcc630/mariadb.spec#L1 |
|
hi @amaltaro I do not remember, but it doesn't matter already ... I have already fixed to the latest version that still has the |
|
hi @amaltaro, |
|
And with my latest commit all is fixed and we are aligned with the rest of the world to the latest MariDB version: 11.0 @khurtado you may give it a try. But before we merge this PR we have to:
I'll work on that later tonight as well. |
|
@todor-ivanov Todor, did you check the release notes to see any significant changes between MariaDB 10.x and 11.x? As much as I like moving forward with these versions and upgrades, at this stage I feel like it would be important to make the minimum amount of changes compared to how we run the agent at this moment. We haven't done scalability and performance tests yet, and it would help to be able to compare apples to apples. |
|
@todor-ivanov Thank you! I made some minor changes to the start-mariadb.sh to get the user/pass from the secrets and tried starting with some errors. But what I wanted to note more than the errors are these 2 lines: So, it looks like we have the following in the configuration: But these settings are not supported in MariaDB 11.x anymore. I don't know how much we depend on these settings and if they could lead to problems with the current system (e.g.: does 11.x support large prefixes by default without any settings now?). @amaltaro may know more but I guess trying |
|
Thanks for this information, Kenyi. This reinforces even more my request to not make any changes to the stack at this stage, unless there is no other way. |
…iadb-start.sh and mysql-start.sh
|
Hi @khurtado @amaltaro There was one more thing I had to do though, in order to properly grant database permissions to users.
|
|
@amaltaro about the version change it is now just a matter of one parameter passed at build time and it really costs nothing to move between mariadb versions. Here is how it goes: and to start the version we want is just I do not think we must move/change the MariaDB version right now. We can reuse whatever Mariadb version we currently use for our agents and upgrade whenever we want to upgrade. It will cost us nothing in terms of operations. @khurtado I have not changed the |
| @@ -0,0 +1,81 @@ | |||
| ARG TAG=11.0 | |||
| ARG MDB_TAG=$TAG | |||
| FROM mariadb:${MDB_TAG} | |||
There was a problem hiding this comment.
usually we start all Dockerfiles with FROM and MAINTAINER, then add additional stuff. I suggest to keep it consistent and move ARG below these lines.
There was a problem hiding this comment.
We actually need to start with the MDB_ARG, because we need it for referring to the base mariadb image to start from. It comes as an build option. But I've got rid of the additional TAG argument, though.
|
@todor-ivanov Just for the record, I tested as following: First, secret files Then, built via And then run: But I ran into permission issues. In order to make it work I had to uncomment the following last line below and remove the group (since my test agent for example, does not have a Before making or requesting any changes for the review, is this a bug, or did I miss something while deploying? |
|
Thanks for testing this @khurtado I have deliberately commented this line, but kept it in the script, because it is supposed for us to have the |
|
@vkuznet I think I have addressed all you comments. Please take a look again. |
| docker build $dockerOpts -t local/mariadb:$MDB_TAG -t local/mariadb:latest . | ||
|
|
||
| $PUSH && { | ||
| docker login registry.cern.ch |
There was a problem hiding this comment.
I doubt it should be here, it is safer to leave it out from the script and execute outside of it.
There was a problem hiding this comment.
Hi @vkuznet I finally made it work properly. I added this option in purpose. Because we are about to get into a mess with local and remote images if we do not maintain a hard tagging schema. So whenever one adds the -p option to either mariadb-docker-run.sh or mariadb-docker-build.sh it is always going to be an image pulled/pushed from/to registry.cern.ch to be run or uploaded respectively. let me put it in an example to visualize what I mean:
Imagine one is working on building a new tag and he/she has uploaded already a version in the registry, but still continued working on the local build and ends up with two versions of the same tag one uploaded and one local. If he was about to use the wrapper mariadb-docker-build.sh he/she would have ended with the following set of images at the host:
cmst1@vocms0290:wmagent-mariadb $ docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
local/mariadb 10.6.5 4efa646aea3e 6 minutes ago 950MB
local/mariadb latest 4efa646aea3e 6 minutes ago 950MB
registry.cern.ch/mariadb 10.6.5 8539e03b7a1d 21 minutes ago 950MB
registry.cern.ch/mariadb latest 8539e03b7a1d 21 minutes ago 950MB
Looking at the repository names it becomes immediately clear which image comes from where. And looking at the image hashes you can clearly see that the version uploaded at the registry differs from the version at the local repo.
Now trying to run those again with the mariadb-docker-run.sh wrapper, immediately tells you which is the image you are currently running. And you point to the one you want again just by adding/removing the -p parameter to the command:
Running the local one:
cmst1@vocms0290:wmagent-mariadb $ ./mariadb-docker-run.sh -t 10.6.5
Starting the mariadb:10.6.5 docker container with the following parameters: --user cmst1
eb7e0d879d4d7fa597587c734837c5289886a6aaf6a82c072187371fdf312b90
cmst1@vocms0290:wmagent-mariadb $ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
eb7e0d879d4d local/mariadb:10.6.5 "./run.sh" 3 seconds ago Up 2 seconds mariadb
Running the one from the remote registry:
cmst1@vocms0290:wmagent-mariadb $ ./mariadb-docker-run.sh -t 10.6.5 -p
Pulling Docker image: registry.cern.ch/cmsweb/mariadb:10.6.5
10.6.5: Pulling from cmsweb/mariadb
Digest: sha256:61f798b55a1c743686e1568509975308dc07b5b24486894053d6a312983c4af6
Status: Downloaded newer image for registry.cern.ch/cmsweb/mariadb:10.6.5
registry.cern.ch/cmsweb/mariadb:10.6.5
Starting the mariadb:10.6.5 docker container with the following parameters: --user cmst1
21d9c6598f35e627834d1b796460047605d6255cebc746d572289c7b418053ed
cmst1@vocms0290:wmagent-mariadb $ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
21d9c6598f35 registry.cern.ch/mariadb:10.6.5 "./run.sh" 7 seconds ago Up 6 seconds mariadb
This is an approach I have adopted and gradually polished with all three types of containers we are about to run for the WMAgent.
And, Yes, I agree with you this may create a mess with the credentials if many people use the same user for uploading. That's why with my latest commit:
- I Added an explicit check for the login name of the user to build/connect to the ccern registry and if it is not the current one (i.e. someone have switched to
cmst1or other user before uploading) the script just aborts and does not proceed with creating a login session. - I explicitly destroy the login session at the end of the execution - this will remove the credentials preserved in the user's home.
It is another story if we are willing to configure credential helpers for these operations. I'd say we should, but they do not work properly on our cc7 machines(i.e. the pass command is missing in our agents). So as long as we are about to be working with WMAgent images on our current agents, we are bound to temporarily storing credentials in the config file for the time the lgin session is active. But this should be only during this transient period. Once we move to alma9 agents this would be easily fixable as well.
|
ok I have it all implemented now following my second suggestion - (by adding all the 3 users in the container and resolving the username to run the container at runtime), but I have not yet pushed the commit to this PR here, because this approach would require to add the following information to the Docker file: @amaltaro @khurtado @vkuznet If we all do not consider this as a security risk to add these numbers here, I can proceed and push the commit. And with this the current PR will be completed. Let me know what you think? |
Since the information for the cmst1 user is already in the WMAgent docker file I am going to proceed with this commit adding only this user for the time being in order to be able to progress and later we can add the other two users who are supposed to run this setup as well. |
Set Default tag to 10.6.5
|
@khurtado the issue with the user running the database is resolved now. Could you give it another try. p.s. Please run the container with user cmst1, and for your initial run, also consider removing the old directory with the broken permissions: |
I don't think exposing the uid/gids imply a security risk, since we are not providing any information on how to log in to those accounts. We would just need to be sure that these uids/gids are consistent across all FNAL, T0 agent and CERN nodes. I think that is indeed the case for CERN, but I don't know about the T0/FNAL cases. If not, an alternative is to use the usernames which we do know 100% are consistent across all nodes and dynamically read the uid/gid information in the build.sh script before invoking the docker build. EDIT: I can confirm uid/gid are the same across production and testbed FNAL agents, so it will likely be the same for t0 |
|
@todor-ivanov I just tested on my CERN agent and the server is running fine. Latest test was using the image from the registry you uploaded. |
There was a problem hiding this comment.
@todor-ivanov Todor, these changes are looking pretty good. I left a few comments that are worth attending to.
In addition, I would like to ask you to:
- update the pull request description with some short and useful information. Any dependencies (packages, directories, new secrets, etc)? What is the default running options (local or pull)? Etc
- the
managescript has inconsistent usage of the echo command. Given that we are getting started with all this development, it would be great to pick one and stick with that. - is there any changes to the default service configuration
my.cnfcompared with what we currently have in the deployment repo? If so, please clarify what are those.
|
Hi @amaltaro,
Done
Done
There were indeed, two minor changes I had to previously do at Please take a look at the final result |
|
BTW I also provided a README file including all the information one may need to operate with these containers. |
|
A
Get Outlook for Android<https://aka.ms/AAb9ysg>
…________________________________
From: Todor Ivanov ***@***.***>
Sent: Wednesday, February 28, 2024 2:34:17 PM
To: dmwm/CMSKubernetes ***@***.***>
Cc: Subscribed ***@***.***>
Subject: Re: [dmwm/CMSKubernetes] Add minimal MariaDB container for WMAgent (PR #1412)
@khurtado<https://github.com/khurtado> the issue with the user running the database is resolved now. Could you give it another try.
p.s. Please run the container with user cmst1, and for your initial run, also consider removing the old directory with the broken permissions:
sudo rm -rf /data/dockerMount/srv/mariadb/
—
Reply to this email directly, view it on GitHub<#1412 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ASOF5YD7VVJIDHKA3EP6ADLYV4W5TAVCNFSM6AAAAAA4IC6WJWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNRYHE4TKMBWGA>.
You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>
|
todor-ivanov
force-pushed
the
Add_WMAgentMariaDB
branch
from
35c6cf7
to
731e1bb
Compare
|
@arooshap Aroosha, can you please merge this? I don't know if you you'd like to squash the commits or not, that's why I didn't merge it myself. |
|
@todor-ivanov @amaltaro I just have one comment in the README.md, after this is addressed, I approve the merge as well :) |
fixing dmwm/WMCore#11313
MariaDB default image for running WMAgent
Prerequisites
This PR is the initial setup of the MariaDB container for WMAgent.
This image inherits from the mainstream
mariadbone, and follows the same tagging schema. On top of the basemariadbimage we add all the structure needed for running the WMAgent with MariaDB and two main scripts:mariadb-docker-run.shmariadb-docker-build.shFor building the containers, and for creating the mount area at the host and the the bind mounts inside the container, respectively. Those are as follows:
At the host:
At the container:
Upon starting the container we try to initialize the default user and system databases, which if previously created should exist in the host mount area. And the last steps are creating the
wmagentdatabase.There are no other external dependencies.
We fetch all the passwords from two secrets files:
/data/admin/wmagent/WMAgent.secrets- for reading the credentials for the user to be used by the WMAgent to connect to the datbase/data/admin/mariadb/MariaDB.secrets- for reading the the credentials for the root user who is about to have full administrative rights on the MariaDB serverNOTE: The server admin user configured at the
MariaDB.secretsfile, must match the username of the one who is to run the server inside the container. And the later is resolved at runtime, depending on where we run the container, it could be on of the three:FYI: @amaltaro