Add support for copying up directories into tmpfs when a tmpfs is mounted over them #707
Conversation
|
Is there a way to make this an option so that there is a way to disable it? |
|
Yeah, I think we can make this a mount option or a runtime flag. I think mount option might be less intrusive. |
|
Either work for me |
|
I would prefer it enabled by default. /tmp:clean |
mrunalp
force-pushed
the
tar_tmpfs
branch
2 times, most recently
from
e115580 to
1e50aa0
Compare
|
Updated to introduce a |
| Relabel string `json:"relabel"` | ||
|
|
||
| // Extensions are additional flags that are specific to runc. | ||
| Extensions int `json:"extensions"` |
There was a problem hiding this comment.
While I love the use of bits for this, I feel like it's more Go-like to use a slice of integers (which is parsed from a slice of strings) or something like that (so it makes sense when you look at the JSON). Or we could use bits internally but make the JSON a slice of strings.
There was a problem hiding this comment.
This is internal. The option is passed as copyup in mount options in the config json.
|
I thought we wanted to get away from deps in docker but now we are adding almost 10k lines. We were so close!!!!! |
libcontainer/rootfs_linux.go
Outdated
| if err := os.MkdirAll(dest, 0755); err != nil { | ||
| return err | ||
| } | ||
| } else { |
There was a problem hiding this comment.
I'm not sure this should be an else, because the point of the if is to create the mountpoint? Or am I misunderstanding what you're doing here?
|
@crosbymichael Yeah, I was also surprised at what all had to be pulled in. I can look into alternative libraries for handling this. (The docker pkg/archive package seemed super easy to use :) ) |
|
@crosbymichael Yeah, I'm quite disappointed about all of the dependencies on Docker. IMO we should work on separating out a lot of the @mrunalp It'd be great if there's nicer libraries for handling this. I really want to limit how much we pull in from Docker. |
|
@mrunalp Overall, I like this. But as I mentioned there's a few things I'd like to see fixed (and a lot of dependencies nixed). I'm not entirely sure about using So yeah, design LGTM. |
|
@cyphar Yeah, will address your comments. I think using tar (or some equivalent) is the simplest option for what we are doing here for now. Thanks! |
libcontainer/rootfs_linux.go
Outdated
| if err != nil { | ||
| return fmt.Errorf("failed to tar archive: %v", err) | ||
| } | ||
| tmpFile, err := ioutil.TempFile("/run", "runctmpfile") |
There was a problem hiding this comment.
This is using /run on the host right?
There was a problem hiding this comment.
Yes, it is.
Sent from my iPhone
On Mar 30, 2016, at 5:45 PM, Michael Crosby [email protected] wrote:
In libcontainer/rootfs_linux.go:
stat, err := os.Stat(dest) if err != nil { if err := os.MkdirAll(dest, 0755); err != nil { return err }
} else {if copyUp {tarStream, err = archive.Tar(dest, archive.Uncompressed)if err != nil {return fmt.Errorf("failed to tar archive: %v", err)}tmpFile, err := ioutil.TempFile("/run", "runctmpfile")—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
There was a problem hiding this comment.
Definitely use /run not /tmp, since /tmp could be attacked by non priv users.
|
@crosbymichael WDYT about a smaller version of docker pkg/archive to a different repo that doesn't have as many dependencies. I have that working with just a docker dependency on pkg/pools. I can clean this new repo up as docker packages are moved out into first class packages. |
|
@crosbymichael Something like this https://github.com/mrunalp/archive |
|
@mrunalp we can get a |
|
@crosbymichael Yeah, moving it out will be best but it has dependencies on 6 other packages. |
|
I think it makes sense to move all of them out if you'll are okay with it :) |
|
We should open an issue for it |
|
@crosbymichael I have opened moby/moby#21700. Thanks! |
|
Any movement on this? |
|
@crosbymichael Any thoughts? I don't think there was any conclusion on moby/moby#21700 |
|
mrunalp is this possible to do this just using the gotar? Or would you end up having to build archive all over again? |
|
@rhatdan It ends up being most of archive. That's what I did here https://github.com/mrunalp/simpletar. |
|
@mrunalp I'd recommend using the path-related tools in Docker because you can get some pretty hairy filesystem breakouts. I'd just prefer we stuck with the Docker implementation, just because it's more tested and is very careful about the edgecases caused by scoping the root. |
|
@cyphar I agree and that's what I started this PR with ;) The issue is we didn't want to pull in so many dependencies from the docker repo. |
Signed-off-by: Mrunal Patel <[email protected]>
Also, defines a EXT_COPYUP flag for supporting tmpfs copyup operation Signed-off-by: Mrunal Patel <[email protected]>
Signed-off-by: Mrunal Patel <[email protected]>
If copyup is specified for a tmpfs mount, then the contents of the underlying directory are copied into the tmpfs mounted over it. Signed-off-by: Mrunal Patel <[email protected]>
|
Closing because this was replaced by another PR |
I expect the lifecycle information was removed accidentally in be59415 (Split create and start, 2016-04-01, opencontainers#384), because for a time it seemed like that PR would also be removing hooks. Putting the lifecycle information back in, I made some tweaks to adjust to the new environment, for example: * Put the pre-start hooks after the 'start' call, but before the meat of the start call (the container-process exec trigger). Folks who want a post-create hook can add one with that name. I'd like to have renamed poststop to post-delete to avoid confusion like [1]. But the motivation for keeping hooks was backwards compatibility [2] so I've left the name alone. * Put each "...command is invoked..." lifecycle entry in its own list entry, to match the 'create' list entry. * Move the rules about what happens on hook failure into the lifecycle. This matches pre-split entries like: If any prestart hook fails, then the container MUST be stopped and the lifecycle continues at step 7. and avoids respecifying that information in a second location (config.md). * I added the warning section to try and follow post-split's generic "generates an error" approach while respecting the pre-split desire to see what failed (we had "then an error including the exit code and the stderr is returned to the caller" and "then an error is logged"). * I left the state 'id' context out, since Michael didn't want it [3]. * Make runtime.md references to "generate an error" and "log a warning" links, so readers have an easier time finding more detail on that wording. Where I reference a section, I'm still using the auto-generated anchor for that header and not the anchors which were added in 41839d7 (Merge pull request opencontainers#707 from mrunalp/anchor_tags, 2017-03-03) and similar. Mrunal suggested that the manually-added anchors were mainly intended for the validation tooling [4]. [1]: opencontainers/runtime-spec#395 Subject: Run post-stop hooks before the container sandbox is deleted. [2]: opencontainers/runtime-spec#483 (comment) Subject: *: Remove hooks [3]: opencontainers/runtime-spec#532 (comment) Subject: Restore hook language removed by create/start split [4]: http://ircbot.wl.linuxfoundation.org/eavesdrop/%23opencontainers/%23opencontainers.2017-03-03.log.html#t2017-03-03T18:02:12 Signed-off-by: W. Trevor King <[email protected]>
5 participants
This helps in supporting read-only containers.
For e.g. if one specifies a tmpfs at /etc then the contents of /etc are copied up into the tmpfs and discarded on container exit.
Signed-off-by: Mrunal Patel [email protected]