Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support/document usage with read-only rootfs on the host #8253

Closed
yangm97 opened this issue Nov 5, 2020 · 9 comments
Closed

Support/document usage with read-only rootfs on the host #8253

yangm97 opened this issue Nov 5, 2020 · 9 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@yangm97
Copy link
Contributor

yangm97 commented Nov 5, 2020
edited
Loading

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind feature

Description

Currently its not possible to perform even read-only operations (such as podman ps) when the graphroot happens to be in a read-only volume (for instance, when the host / is mounted as ro, either intentionally or because ext4 went "oopsie").

However we already a somewhat working solution for that specific use case: move the graphroot to an ephemeral mount. Assuming you want to use images and volumes stored at the default graphroot (as I did for testing this idea) you could change your config like this:

/etc/containers/storage.conf:

[storage]
graphroot = "/run/containers/storage"

[storage.options]
additionalimagestores = [
  "/var/lib/containers/storage"
]

/etc/containers/containers.conf:

[engine]
volume_path = "/var/lib/containers/storage/volumes"

This will work fine until the next reboot. Since volume metadata seems to be persisted on the boltdb store (and not in the volume_path), podman won't know about their existence once the graphroot is recreated, and trying to recreate those volumes results in an error since f7e72bc: #8254

Error: error creating volume directory "/var/lib/containers/storage/volumes/bla/_data": mkdir /var/lib/containers/storage/volumes/bla/_data: file exists

I don't know if this behavior is intentional or not but I've created a little PR which should revert it:

I know this PR doesn't actually fix the core issue but it should be enough of a fix for when you want:

  • images stored in a read-only partition
  • user data is in a rw partition
  • podman state is as ephemeral as the containers it manages

Steps to reproduce the issue:

Describe the results you received:

Describe the results you expected:

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

(paste your output here)

Output of podman info --debug:

(paste your output here)

Package info (e.g. output of rpm -q podman or apt list podman):

(paste your output here)

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide?

Yes/No

Additional environment details (AWS, VirtualBox, physical, etc.):
@openshift-ci-robot openshift-ci-robot added the kind/feature Categorizes issue or PR as related to a new feature. label Nov 5, 2020
@yangm97 yangm97 mentioned this issue Nov 5, 2020
Merged
@rhatdan
Copy link
Member

rhatdan commented Nov 6, 2020

What error are you seeing when the system is in read/only mode? Overlayfs complaining about not being setup correctly?

@yangm97
Copy link
Contributor Author

yangm97 commented Nov 6, 2020

@rhatdan

Error: error opening database /var/lib/containers/storage/libpod/bolt_state.db: open /var/lib/containers/storage/libpod/bolt_state.db: read-only file system

@rhatdan
Copy link
Member

rhatdan commented Nov 7, 2020

@mheon I would figure this would take quite a bit of work to make the database able to handle read/only mode? Basically we are opening the database in read/write mode and the open is failing. If we fell back to read/only mode, then lots of other calls are going to fail.

@mheon
Copy link
Member

mheon commented Nov 7, 2020 via email

@rhatdan
Copy link
Member

rhatdan commented Nov 8, 2020

I don't think @yangm97 is after full support, it would just like to run the read/only type functions, podman version, podman info, podman ps.

@mheon
Copy link
Member

mheon commented Nov 8, 2020 via email

@yangm97
Copy link
Contributor Author

yangm97 commented Nov 9, 2020

I don't think we can support r/o - the container state has to be stored somewhere (PID, IP addresses, etc). It may be feasible to store the DB on a tmpfs but we'd lose track of new containers on a reboot.

Unless you manage your containers using some supervisor (such as systemd units with the --new flag, which is how I'm doing it right now). Aside from that, you also need to store cni data in a tmpfs if you want to create container interfaces/networks on the fly (I am using --net=host so I didn't notice this earlier).

I've been using the setup described in OP since I opened this, so far so good. I believe it would be cool if this kind of setup was documented. Although it misses persistent volume metadata, that could be fixed by storing the volumes db inside the volumes directory, which has some potential aside from persisting volume ls across reboots (NFS?).

Or maybe podman could fallback to tmpfs like journald and systemd do, possibly frown at the user if they attempt to do some sort of purposeful state modification (to set aside from implicit state modifications such as when you do container ps).

For instance, creating (without --rm, to make explicit this container is intended to be ephemeral)/removing containers, pulling images, etc. would not be allowed but starting existing containers would be fine.

That would be more restrictive than simply moving the graph to tmps as I did, but would still be permissive enough to allow your application to boot despite your rootfs going read-only due some unexpected fs issue.

@rhatdan
Copy link
Member

rhatdan commented Nov 14, 2020

Please open a PR to document this. Or we have just started using the WIKI assocated with this github, you could document this there.

https://github.com/containers/podman/wiki

@yangm97
Copy link
Contributor Author

yangm97 commented Nov 25, 2020

Done.

@yangm97 yangm97 closed this as completed Nov 25, 2020
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 22, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rhatdan @yangm97 @mheon @openshift-ci-robot