Allow systemcontainers to install, run, and uninstall in one go

[ashcrow]

This change adds a new optional label called atomic.run. When set to once the image will be extracted, run, and cleaned up. This currently requires the use of --system.

The idea behind this new option is that there are cases where a system container would not be a full fledged service on a host. For example, the openshift-ansible installer isn't a service, but a containerized installer.

Example:

$ sudo atomic pull --storage ostree docker:testcontainer:latest
$ sudo atomic install --system testcontainer:latest
Extracting to /ostree/repo/tmp/atomic-container/15926/rootfs
HI
$ ls /ostree/repo/tmp/atomic-container/15926/rootfs
ls: cannot access '/ostree/repo/tmp/atomic-container/15926/rootfs': No such file or directory
$

/cc @sdodson @tbielawa

[giuseppe]

when I firstly suggested this I forgot we had an extract. Sorry :)

At some point we will need an OSTree temporary storage (also to fix mount) but for now I think it would be better if we can do something like:

try:
    self.extract(img, tmpdir)
    generate_systemd_directives(...)
    os.chdir("$tmpdir/rootfs")
    util.call(...)
finally:
   shutil.rmtree(tmp)

tmpdir is better created under the OSTree repository so we are sure to use hard links and the checkout is faster. The _try_ostree_mount function in mount.py does that (we will need to copy/move it to syscontainers). Anyway, I'll have to fix this for the RPM stuff as well so feel free to ignore this part.

What do you think?

I see in your TODO list that there is to create the runc directives for --user. That should be already done by generate_systemd_startstop_directives now to use bwrap-oci so there should not be anything to do for this.

[ashcrow]

What do you think?

SGTM. I'll update this afternoon.

I see in your TODO list that there is to create the runc directives for --user. That should be already done by generate_systemd_startstop_directives now to use bwrap-oci so there should not be anything to do for this.

Perfect!

[rhatdan]

We keep making changes to system containers that force the user to have some kind of knowledge of how to install the image, can we remove the option and just put something like a label into the container to do a --oneshot? Force the image developer to define how to install his image and allow the atomic command to react. I want the same thing for --system.

If I do
atomic install foobar

And foobar is intended to be a --oneshot --system container I will be prone to forget those options.

[ashcrow]

@rhatdan that's a really good point. If --system is going to make that change --oneshot should be done that was as well. @giuseppe if you're on board with this as well we can work on this together if you'd like.

[giuseppe]

@ashcrow, sure! A container that is designed to be "oneshot" probably makes no sense at all to have it normally installed so a label that indicates this behaviour can make this easier for the user.

[ashcrow]

@giuseppe I'll pull the option code out of this PR, take a look at how labels are used, and see if I can't put something together. I'll probably bug you a bit 😆

[ashcrow]

I created an atomic.run label which, if used and set to once will extract, run, and clean up after the extract.

Labels

LABEL "Name"="atomic-test-system"\
      "atomic.run"="once"\
      "atomic.type"="system"

Run

$ sudo python atomic install --system o:latest
Extracting to /tmp/oIg9Ulv/rootfs
HI
$ ls /tmp/oIg9Ulv/rootfs
ls: cannot access '/tmp/oIg9Ulv/rootfs': No such file or directory

Question

@giuseppe I noticed that using atomic.type as system didn't react the same was as using the --system option. Is this by design?

[giuseppe]

@ashcrow Nice!

We should probably add a check for the type of container also for already pulled images, I guess you are pulling it directly from the local Docker engine? We do that now for images pulled from a registry.

I've added a fixup commit here: https://github.com/giuseppe/atomic/tree/oneshot

I have not tested it, just wanted to share it quickly.

I've done some small changes, also added the possibility of generating the configuration from the config.json.template file and support for systemd tmpfiles, if the container needs to bind directories/files not present on the file system when it starts.

Some code is deliberately duplicated in the new function, as it will save some merge conflicts with #949.

I also like the new path for _run_once as in the future I'd like we treat these containers separately: we will have a "layers storage" that we can use for mounting images and at the same time for running one shot containers since they are managed by atomic, we can setup the overlayfs for mounting the layers, and proceed with the cleanup once it is done.

Another change is to use a tmpdirectory under the OSTree repository, so we use hard links instead of copying the files. I think at this point all the features we need to support are there.

What do you think?

[ashcrow]

@giuseppe I'll pull in and test.

[yuqi-zhang]

@ashcrow with regards to "atomic.type=system" vs "install --system" there are some discrepancies. I added a PR here to address some issues: #954

[ashcrow]

@yuqi-zhang thanks for the info!

@giuseppe I'm thinking that inspect_system_image won't end up being enough. The failures CI is finding is related to image names such as "docker:atomic-test-system:latest" which the inspect_system_image doesn't seem made for. Any pointers before I dig deeper in the code?

[giuseppe]

@ashcrow let's add another exception for now not image.startswith('dockertar:/') and not (image.startswith("docker:") and image.count(':') > 1).

_install has the code for pulling the image and then use the canonical name for the image, we can move the new code there once #949 gets merged and we don't end up in merge conflicts.

[giuseppe]

I've added another fixup commit that solves the issue and a few other things. There is only one missing part now, and that we need to set the correct values or the installation with template files will fail. Now this code is in _do_checkout .

This requires some refactoring as the code in common must be moved out of _do_checkout, but I'd prefer if we do this after: #949 as it changes a lot of stuff around there.

The next failure in the tests is fixed by 10ba9dc (which is part of #949). No idea how this could get broken.

[giuseppe]

once 949 gets merged, we can use this commit here to refactor out the generate values function and use from here as well:
https://github.com/giuseppe/atomic/tree/move-read-values

[ashcrow]

Local testing worked as expected.

[giuseppe]

yes, I've done some testing as well and it worked for me (except handling template files). We should probably add the oneshot image to the testing images as well.

[ashcrow]

@giuseppe I'll add that shortly. I'll also stage a Labels document for the atomic-system-containers repo.

[giuseppe]

@ashcrow thanks, could the image include a config.json.template file instead of config.json?

[ashcrow]

@giuseppe the test image? Sure.

[rh-atomic-bot]

☔ The latest upstream changes (presumably 1b216a4) made this pull request unmergeable. Please resolve the merge conflicts.

[ashcrow]

Added a Dockerfile for the change and rebased.

[ashcrow]

I'll add to integration tests an look at your added patch in the morning @giuseppe.

[ashcrow]

This PR is ready for review.

[giuseppe]

LGTM

[ashcrow]

/cc @baude

[baude]

? leftover

[ashcrow]

Yes, good catch. Will update.

[baude]

I know we are not outwardly changing at of the interfaces to the users which usually prompts someone to do updates a docs/ file. I'm thinking however it might be worth noting this change and the labels in the docs somwhere.

[ashcrow]

Right now there are 3 (or more?) places that document labels. I'm planning on adding it in the Atomic System Containers repo and, as it is used, should propagate to wherever becomes the proper place. Or at least that is the theory.

[baude]

@ashcrow @giuseppe This might be out of scope but I would really love a mechanism for systemcontainers that would allow us to copy files from the system container to the host filesystem during install. This seems like the right place for something like that. Not sure.

[ashcrow]

Removed the leftover and rebased (for good measure).

⬆️

[rhatdan]

@baude Ready to merge?

[baude]

@rh-atomic-bot r+ 6887eab

[rh-atomic-bot]

⌛ Testing commit 6887eab with merge 5b5dffa...

[rh-atomic-bot]

☀️ Test successful - status-redhatci
Approved by: baude
Pushing 5b5dffa to master...