Support bootc #830
Support bootc #830
Conversation
|
Skipping CI for Draft Pull Request. |
roles/edpm_kernel/defaults/main.yml
Outdated
| @@ -36,3 +36,4 @@ edpm_nova_compute_config_dir: /var/lib/config-data/ansible-generated/nova_libvir | |||
|
|
|||
| # KSM control | |||
| edpm_kernel_enable_ksm: false | |||
| edpm_use_bootc: false | |||
There was a problem hiding this comment.
We probably need a better way to implement this globally. But at least for testing purposes, this is what I've used to get something that deploys.
There was a problem hiding this comment.
This is why I added the edpm_bootc role in #813 so that we had a way to do it consistently across anywhere that needs it.
There was a problem hiding this comment.
Also, I created a new bootc branch for edpm-ansible: https://github.com/openstack-k8s-operators/edpm-ansible/tree/bootc
Can you propose this PR to the bootc branch instead?
I'll be reverting #813 from main until we are ready to merge all bootc support into main.
There was a problem hiding this comment.
Branch thing is done. But that role would need to be called from each and every playbook to detect and set the bootc variable right? I guess we can just add it as a ansibleVar and avoid calling the role each and every time we start a new service.
There was a problem hiding this comment.
So, we can use a custom fact. For example:
cat /etc/ansible/facts.d/bootc.fact
#!/usr/bin/env bash
is_bootc() {
BOOTC_STATUS=$(sudo bootc status --json | jq .status.type)
if [[ "$BOOTC_STATUS" == \"bootcHost\" ]]; then
BOOTC_SYSTEM="true"
else
BOOTC_SYSTEM="false"
fi
}
is_bootc
echo ${BOOTC_SYSTEM}
This is good from the perspective of not needing the user to manually define that they are using a bootc system, plus it works for our non bootc systems:
[m3@osp-df-3 bootc]$ ansible -i inv.yaml all -m setup -a "filter=ansible_local"
edpm-compute-1 | SUCCESS => {
"ansible_facts": {
"ansible_local": {
"bootc": true
},
"discovered_interpreter_python": "/usr/bin/python3"
},
"changed": false
}
So you could combine them in the same NodeSet if you wanted to. But, the down side of this approach is that we need to gather facts from each service. We have thus far tried to limit the amount of fact gathering required, so this approach my not be what we want to do without some more granular control of which facts are being gathered in each service. At the moment, we just define a variable for gather_facts. If that variable is true, then we gather all facts. Obviously, that becomes necessary if we want to allow individual task executions that require facts, but when we want to just gather local facts, then gathering all of them introduces non-trivial time to our executions of each service.
Offering it as a potential solution that we can debate. The alternative is that we require either bootc or non-bootc nodes in each NodeSet.
| - name: Push script | ||
| ansible.builtin.copy: | ||
| dest: /usr/local/sbin/containers-tmpwatch | ||
| dest: /var/lib/openstack/cron/containers-tmpwatch |
There was a problem hiding this comment.
/usr is immutable with bootc deployments. So I've proposed doing this in two different ways. 1, we bake the scripts into the container file:
https://github.com/openstack-k8s-operators/install_yamls/pull/950/files#diff-f8fb9af5355b45b9ca8936bf0d721c6f0e37e13b637f5598e2be19995dea23e7R45-R46
And 2. Which is this method of writing to /var/lib/openstack. I personally prefer doing it this way if we can agree on a common place for any scripts that we want to use. That saves us baking things into images and then trying to keep them in sync. Better imo to have them in edpm-ansible for now.
roles/edpm_ovn/tasks/run.yml
Outdated
| ansible.builtin.include_role: | ||
| name: osp.edpm.edpm_container_standalone | ||
| vars: | ||
| edpm_container_standalone_service: ovn_controller | ||
| edpm_container_standalone_container_defs: | ||
| ovn_controller: "{{ lookup('template', 'ovn_controller.yaml.j2') | from_yaml }}" | ||
| edpm_container_standalone_kolla_config_files: | ||
| ovn_controller: "{{ lookup('template', 'kolla_ovn_controller.yaml.j2') | from_yaml }}" |
There was a problem hiding this comment.
All of this needs to stay in order to support both deployment methodologies. It can just be conditional like:
https://github.com/openstack-k8s-operators/edpm-ansible/pull/830/files#diff-34e3323585e197e806d463771e3b5132716048c41818b1318fecb2c0d8e36cd6R45
bshephar
force-pushed
the
support-bootc
branch
from
dd3d198 to
cde9667
Compare
bshephar
force-pushed
the
support-bootc
branch
12 times, most recently
from
ffd86e6 to
54f7101
Compare
roles/edpm_ovn/tasks/run.yml
Outdated
| {{ | ||
| ovn_controller_pod_spec | combine({ | ||
| 'spec': { | ||
| 'containers': ovn_controller_pod_spec.spec.containers | zip_longest([], [{'image': edpm_ovn_controller_agent_image}]) | map('combine') | list, |
There was a problem hiding this comment.
I believe that if we were to customize the image like this then by definition the container is no longer "logically bound". Instead, it would be considered a "floating" container per https://containers.github.io/bootc/logically-bound-images.html#comparison-with-default-podman-systemd-units
and also:
There is no mechanism to inject arbitrary arguments to the podman pull (or equivalent) invocation used by bootc.
which seems to apply additional mounts or other options passed to podman pull are not possible.
The dynamically-injected ConfigMaps[1][2] may provide some customization, but that is still not likely for the app container image itself, b/c once that is changed to some other image, then that no longer fits into how logically bound images should be managed with the lifecycle of the base bootc image itself.
Point being...if we choose to allow the ability to podman run any arbitrary image at runtime, then these really aren't logically bound images at all, but are considered "floating".
The question becomes, should we adopt logically bound images, and require our end users to be building new bootc images before deploying EDPM nodes, depending on if they need to customize any of the container images? We could ship a bootc image that had all the images logically bound, but if a user wanted to run a different one (from a partner, etc) they they would need to rebuild that image.
I do like the quadlet/systemd design, and I think we can still adopt that either way.
[1] https://containers.github.io/bootc/building/guidance.html?highlight=configmap#configuration
[2] containers/bootc#22
bshephar
force-pushed
the
support-bootc
branch
2 times, most recently
from
a0569c4 to
b590229
Compare
|
I created a new bootc branch for edpm-ansible: https://github.com/openstack-k8s-operators/edpm-ansible/tree/bootc Can you propose this PR to the bootc branch instead? I reverted #813 from main in #844 I think that was the only other bootc related PR that has merged. |
bshephar
force-pushed
the
support-bootc
branch
4 times, most recently
from
1afffaf to
51a8b34
Compare
|
|
||
| - name: Import packages tasks | ||
| ansible.builtin.import_tasks: packages.yml | ||
| when: not ansible_local.bootc |
There was a problem hiding this comment.
You need to update this change based on the commit I made earlier to handle bootc. packages.yml is already included earlier at line 24 using the other variable I had used "bootc". So that needs to be undone so we can go forward with what you're proposing here.
There was a problem hiding this comment.
also should we switch this to include_tasks so that the when will skip all the tasks at once instead of individually?
There was a problem hiding this comment.
I also see that the only reason ansible_local.bootc is set here is because of the task in bootstrap_command.yml to read local facts. I think we need that to be more explicit. Probably add something directly in bootstrap.yml.
I believe this answers my earlier comment on playbooks/bootstrap.yml on how the fact is initially set. We should make it more explicit.
| @@ -42,6 +42,7 @@ | |||
| name: osp.edpm.edpm_kernel | |||
| tags: | |||
| - edpm_kernel | |||
| when: not ansible_local.bootc | |||
There was a problem hiding this comment.
How is the fact ansible_local.bootc initially gathered given that gather_facts defaults to false in the playbook?
There was a problem hiding this comment.
We need to figure out what we want this to look like still. I have just set gather_facts: true in my deployment Ansible vars.
Maybe we would need to change the default for it to gather_subset: local at a minimum. It's not ideal that we would gather all facts for every service, but at the moment, that's what my gather_facts: true is doing until I come up with something better.
There was a problem hiding this comment.
we will also need to guard the task Download packages from roles/edpm_download_cache/tasks/main.yml with the fact
to workaround this I dropped download-cache from my NodeSet services
There was a problem hiding this comment.
seems like the Insert cronjob in root crontab task requires the cronie rpm. We might need to add that to the image build.
There was a problem hiding this comment.
bshephar
force-pushed
the
support-bootc
branch
4 times, most recently
from
29ca81f to
8d92a63
Compare
This change moves the script we're using for the logs cronjob into the /var/lib/openstack/cron directory. This facilitates the bootc immutable filesystem where we can't write to /usr, while also consolidating scripts relevant to our deployment in a common place. Signed-off-by: Brendan Shephard <[email protected]>
bshephar
force-pushed
the
support-bootc
branch
3 times, most recently
from
a0efece to
94f062b
Compare
Signed-off-by: Brendan Shephard <[email protected]>
Signed-off-by: Brendan Shephard <[email protected]>
Signed-off-by: Brendan Shephard <[email protected]>
Signed-off-by: Brendan Shephard <[email protected]>
Signed-off-by: Brendan Shephard <[email protected]>
Signed-off-by: Brendan Shephard <[email protected]>
Signed-off-by: Brendan Shephard <[email protected]>
Signed-off-by: Brendan Shephard <[email protected]>
Signed-off-by: Brendan Shephard <[email protected]>
bshephar
force-pushed
the
support-bootc
branch
2 times, most recently
from
0260435 to
0d05701
Compare
Signed-off-by: Brendan Shephard <[email protected]>
Signed-off-by: Brendan Shephard <[email protected]>
Signed-off-by: Brendan Shephard <[email protected]>
bshephar
force-pushed
the
support-bootc
branch
from
0d05701 to
d56b311
Compare
| ansible.builtin.systemd_service: | ||
| name: edpm-compute@logrotate_crond | ||
| enabled: true | ||
| state: started |
There was a problem hiding this comment.
I think we need to separate out this initial bootc support from the logically bound containers PR, openstack-k8s-operators/edpm-image-builder#39
This PR has a strong dep on the logically bound PR, and that complicates things. Let's just get a base bootc working with how we manage containers presently. We can move to logically bound and all the quadlet/systemd stuff as a next step.
There was a problem hiding this comment.
Yeah, ok. Let's decouple them. I'll just submit a new PR to edpm-image-builder to change the Quadlet files over to using .container instead of .kube. Then a new one here to work with those instead of the .kube files.
|
So, we merged a subset of this in the interest of slimming down the number of required changes. Let's backlog this particular piece of work in favor of getting something demo worthy. We'll collect feedback, and then we can loop back on the logically bound images work if we feel it's still worth pursuing. |
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
This PR adds a number of changes to roles in order to facilitate the use of image mode RHEL.