New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Additional pod life-cycle hook to support commit+push after container exits #14561
Comments
What credentials are used for the push? Is this generalizable to commit On Fri, Sep 25, 2015 at 11:06 AM, Derek Carr notifications@github.com
|
I assume this would work similar to
I want to prevent the user from pushing an image from the node that was not the output of their own commit. I am not sure I see a use case for commit no-push. Did you have one in mind?
I thought it was timely to raise this given the discussion on runtime client/server abstraction #13768 Near term, this would be Docker runtime, but I can see the desire of supporting pushing to an arbitrary other endpoint for alternative image formats. At minimum, I think this would be introducing the concept of (1) commit and (2) push to the runtime, but I am not sure we need a hook to the end-user that keeps them separate.
I imagined this as similar to
Good question, @csrwng care to weigh in? |
Is there a separate issue that covers being able to commit/push a running pod (ie not just when it exits)? There is some desire to be able to modify a running container and then commit/push the change so you could, for example, make a debug change and then scale up the deployment to test it in a clustered mode, without having to start from scratch with building a new image. if not, can we discuss including that feature here? @rcernich fyi |
@bparees - if you had an API to drive the commit and push, would you still want the hook to do it on container exit? |
@derekwaynecarr I think it depends how the api was secured. for builds we'd probably want to call the api via the user's project's build service account. As long as we're ok giving that service account permission to invoke the commit/push api, that's probably the path we'd take over the post-hook approach. assuming also that the api allowed the commit/push of a pod that had already exited (but not been pruned, obviously) |
(the hook approach does offer the advantage of not having a timing window in which the pod gets purged after exiting and before we have a chance to invoke the commit/push api) |
I would think we could do something similar to what @smarterclayton is proposing with openshift/origin#4819. Another possibility would be to have an intermediary store for the source (internal gitserver) that can be mounted as a volume on the new container. |
Just wanted to share a practical downstream use case for this: today, builds in OpenShift produce a defined image output, but since the build pod is responsible for pushing, it's difficult to make the push resilient to failure. Very often, the pod will exit prior to pushing (deadline on the pod, registry timeout, etc) rendering the built image inaccessible. A new build is then required. Having platform managed pushes seems to solve this neatly. |
As a counter design to making this part of the pod API, can we instead |
Possibly, but how would that outside process know what actions to perform On Thursday, October 1, 2015, Clayton Coleman notifications@github.com
|
Or it's attached to the Kubelet via an observation mechanism. Committing |
Related to #140 |
BTW, I think a PostStop hook is also very helpful, since it offer the advantage of not having a timing window in which the pod gets purged after exiting and before we have a chance to invoke the commit/push. |
Issues go stale after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or |
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
I would like the ability to define a hook to commit a container, and push its resulting image to a registry after its completed execution on the local node via a new policy on the Pod.
The use case is for a run-once pod whose result represents an image that should be pushed to a registry for consumption by other actors in the system. To do this today, your container needs access to the docker socket to launch its own container, do the commit, and push outside the knowledge of the Kubelet/Scheduler unaware of actual capacity on the node.
Want to open the issue for discussion, and if it has merit from community, will look to move to a design proposal.
/cc @smarterclayton @ncdc @csrwng @bparees
/cc @kubernetes/goog-control-plane @kubernetes/goog-node
The text was updated successfully, but these errors were encountered: