host: Replace libvirt-lxc backend with libcontainer #3030
Conversation
e7630d9
to
555e7d5
Compare
There are still a couple of test failures, but I think these are CI flakes present on master, so this is now ready for review. An overview of how containers work with libcontainer:
Some notes:
|
if err := factory.StartInitialization(); err != nil { | ||
log.Fatal(err) | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a reason to put this in init
instead of main
?
This is awesome! Have you tried removing the vendored libvirt client code? |
Looks like we'll probably need some minor docs updates. |
@@ -2,6 +2,5 @@ include_rules | |||
: |> sed 's/{{TUF-ROOT-KEYS}}/@(TUF_ROOT_KEYS)/g' cli/root_keys.go.tmpl > %o |> cli/root_keys.go | |||
: cli/root_keys.go |> !cgo |> bin/flynn-host | |||
: bin/flynn-host |> gzip -9 --keep bin/flynn-host |> bin/flynn-host.gz | |||
: |> !go ./flynn-init |> bin/flynn-init | |||
: |> !cgo ./flynn-init |> bin/flynn-init |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will break containerinit if the rootfs doesn't have libc. Perhaps we should put the libcontainer part in flynn-host
instead?
555e7d5
to
ef8b039
Compare
// container, taken from: | ||
// https://github.com/opencontainers/runc/blob/v1.0.0-rc1/libcontainer/SPEC.md#security | ||
var defaultCapabilities = []string{ | ||
"CAP_NET_RAW", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This list does not appear to match the link.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In what way do they differ? I just took the ones with Enabled: 1
set.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, I missed the second column. That makes sense.
Updates are not currently working because all containers are exiting when the old I initially thought The likely suspect is the ParentDeathSignal parameter, but so far I have not been able to configure things so that the containers do not exit (I have tried modifying that config variable, removing all I am investigating further. |
da3f1b1
to
df57576
Compare
df57576
to
c7d703d
Compare
The containers were previously exiting when the parent I have changed things so that only TTY jobs get a console (f5d6b84) which means those jobs will not survive an update to I have also fixed job resurrection so that it only happens for jobs which aren't actually running (c7d703d), and although that could be changed on master I am bundling it in here as I hope we can merge this. The last few test runs have had some failures but they are all tests which fail intermittently on master, and are mostly controller deployment related (something which I will be refactoring soon). @titanous @josephglanville this is ready for a review. |
Source: lt.FSRef{Usage: "65535"}, // 64MiB | ||
Target: lt.FSRef{Dir: "/dev/shm"}, | ||
}, | ||
ifaceName, err := netutils.GenerateIfaceName("veth", 4) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be moved into the else block below?
Signed-off-by: Lewis Marshall <lewis@lmars.net>
Signed-off-by: Lewis Marshall <lewis@lmars.net>
Signed-off-by: Lewis Marshall <lewis@lmars.net>
Signed-off-by: Lewis Marshall <lewis@lmars.net>
Signed-off-by: Lewis Marshall <lewis@lmars.net>
Signed-off-by: Lewis Marshall <lewis@lmars.net>
Signed-off-by: Lewis Marshall <lewis@lmars.net>
Signed-off-by: Lewis Marshall <lewis@lmars.net>
Signed-off-by: Lewis Marshall <lewis@lmars.net>
Signed-off-by: Lewis Marshall <lewis@lmars.net>
Signed-off-by: Lewis Marshall <lewis@lmars.net>
The cgroup-lite package is responsible for mounting the cgroup controllers at /sys/fs/cgroup/{controller}, which flynn-host expects to be mounted. Signed-off-by: Lewis Marshall <lewis@lmars.net>
Signed-off-by: Lewis Marshall <lewis@lmars.net>
Signed-off-by: Lewis Marshall <lewis@lmars.net>
To make it easy to identify jobs in the output of `ps`. Signed-off-by: Lewis Marshall <lewis@lmars.net>
Flannel for example needs this to setup vxlan devices. Signed-off-by: Lewis Marshall <lewis@lmars.net>
Signed-off-by: Lewis Marshall <lewis@lmars.net>
Signed-off-by: Lewis Marshall <lewis@lmars.net>
Signed-off-by: Lewis Marshall <lewis@lmars.net>
Signed-off-by: Lewis Marshall <lewis@lmars.net>
Signed-off-by: Lewis Marshall <lewis@lmars.net>
Signed-off-by: Lewis Marshall <lewis@lmars.net>
Signed-off-by: Lewis Marshall <lewis@lmars.net>
Signed-off-by: Lewis Marshall <lewis@lmars.net>
c7d703d
to
b82b909
Compare
@titanous so I went on a small TTY adventure today and eventually realised the issue was that not assigning a console to the container meant that when Long story short, updating Ready for another review 😄. |
LGTM! |
LGTM. 🎉 |
woot! |
Woot indeed. Can I get a head's up when this releases? |
The latest nightly has it. |
Opening as an early PR to see what happens in CI.
Closes #38
Closes #3021
Closes #2553
Closes #2367
Closes #2725
Closes #2803