Jaeger without the Jaeger Operator #559
Conversation
beyang
force-pushed
the
bl/non-operator-jaeger
branch
2 times, most recently
from
02248ab to
5e058f2
Compare
beyang
force-pushed
the
bl/non-operator-jaeger
branch
4 times, most recently
from
3b2e8a9 to
6d6c6d8
Compare
keegancsmith
left a comment
keegancsmith
left a comment
There was a problem hiding this comment.
LGTM. Few inline questions. Are there any implications to requiring an extra 100m CPU and mem per replica in our clusters?
| RUN apk update | ||
| RUN apk add bash curl | ||
|
|
||
| COPY --from=base /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt |
There was a problem hiding this comment.
you could just install ca-certificates in the above line, would seem "safer". Also do we need bind-tools @slimsag? this agent does need to resolve the address of the jaeger collector. However, I don't think bind-tools is needed in k8s?
There was a problem hiding this comment.
Is bind-tools necessary for DNS resolution? If so, it may be required for the "send spans to external jaeger-collector" use case (which is documented, but I haven't actually tested). I will check that scenario.
apk add ca-certificates is indeed what is run in the standard jaeger-agent image. We could run it here instead of copying the value from the standard jaeger-agent image. Benefit would be we might have slightly more up-to-date certs, but at the cost of not as closely tracking the source image. My preference is to track the base image as closely as possible (and update the base image version if an update is required).
There was a problem hiding this comment.
Is bind-tools necessary for DNS resolution?
I think at some customers using the deploy-sourcegraph-docker method needed the bind-tools package. I don't think it is needed for k8s clusters, but just wanted to confirm that.
If so, it may be required for the "send spans to external jaeger-collector" use case (which is documented, but I haven't actually tested). I will check that scenario.
Isn't it also needed to send to the collector in the cluster? IE we do a dns lookup, don't use a hardcoded IP.
apk add ca-certificates is indeed what is run in the standard jaeger-agent image . We could run it here instead of copying the value from the standard jaeger-agent image. Benefit would be we might have slightly more up-to-date certs, but at the cost of not as closely tracking the source image. My preference is to track the base image as closely as possible (and update the base image version if an update is required).
Yeah sounds good to just keep this line as it is then.
There was a problem hiding this comment.
Isn't it also needed to send to the collector in the cluster? IE we do a dns lookup, don't use a hardcoded IP.
I don't think so? At least, the jaeger-agent has no problem talking to the collector in the test cluster I spun up.
There was a problem hiding this comment.
bind-tools is needed for DNS resolution in pure Docker and Docker Compose environments. See https://sourcegraph.com/github.com/sourcegraph/sourcegraph@730f31fb13b8380ed02fd01fe4a8583e43b029d4/-/blob/docker-images/alpine/Dockerfile#L17-23
Yes, if a cluster is at 100% resource utilization, this might require the addition of another node to the cluster. I will call this out in the docs. |
beyang
force-pushed
the
bl/non-operator-jaeger
branch
2 times, most recently
from
a5e9d89 to
05cee67
Compare
Co-Authored-By: Keegan Carruthers-Smith <keegan.csmith@gmail.com>
don't want to expose the jaeger ports and can't mix UDP and TCP in one service
beyang
force-pushed
the
bl/non-operator-jaeger
branch
from
05cee67 to
c02576d
Compare
| FROM jaegertracing/jaeger-agent:$JAEGER_VERSION as base | ||
|
|
||
| FROM alpine:3.11.5 | ||
| RUN apk --no-cache bash curl |
There was a problem hiding this comment.
Are these Dockerfiles ONLY going to be used by deploy-sourcegraph, or are they also going to be used by deploy-sourcegraph-docker?
If the latter, these should all be moved into https://github.com/sourcegraph/sourcegraph/tree/master/docker-images and follow the conventions there.
This is also extremely important because I want us to get all Docker images versioned alongside Sourcegraph (3.14.1 instead of <arbitrary> tags).
| # Web HTTP | ||
| EXPOSE 16686 | ||
|
|
||
| VOLUME ["/tmp"] |
There was a problem hiding this comment.
Will this Docker image ever be used in non-Kubernetes environments? If yes, you MUST create /tmp within the image with the desired permissions or else the container will not be able to write to /tmp in certain environments. See https://sourcegraph.com/github.com/sourcegraph/sourcegraph@730f31fb13b8380ed02fd01fe4a8583e43b029d4/-/blob/cmd/precise-code-intel/api-server/Dockerfile#L30-37
beyang
force-pushed
the
bl/non-operator-jaeger
branch
from
c298c0a to
96c4cce
Compare
beyang
force-pushed
the
bl/non-operator-jaeger
branch
from
7da1404 to
6b44be1
Compare
beyang
force-pushed
the
bl/non-operator-jaeger
branch
from
9b4bd53 to
d7db009
Compare
|
I will address @slimsag's comments in a follow up to this PR (as I tackle Jaeger in Docker Compose). |
--memory.max-traces=20000to limit memory consumption and memory/cpu resources of Jaeger resource objects are limited, but sufficient to handle 20000 spans (under the assumption that each span is less than 1KB)TODO
bind-toolsis necessary (no)Post-merge follow-up