Open GitHK opened 3 months ago
@GitHK I would prefer we do not start doing it "only for certain services" but in general (aka no spaghetti)
@GitHK I would prefer we do not start doing it "only for certain services" but in general (aka no spaghetti)
That means we have to deprecate all the services in the platform. Nothing can prohibit a container, which runs as root to change ownership of a folder or file.
@GitHK : Can you please confirm or deny that the first approach for this is to simply have the dy-sidecar pull the inputs before being marked as ready
, so effectively delaying the start-up time [yes or no]? Can you comment if this ticket touches at all the scenario when inputs change while the two connected services are already running?
Also, I dont understand your last comment, I cant follow :( ...
@mrnicegyu11
Let's have a recap on how (at the date of writing this post) new style dynamic-sidecars start a dynamic-service (below is an ordered sequence top to bottom of events):
NOTE:
this doesn't contain every single step in detail, just an overview of the steps required to comprehend this ticket
director-v2
creates a docker 2 swarm services: dy-sidecar
and dy-proxy
director-v2
waits for the dy-sidecar
to be readydirector-v2
in parallel || (pulls states
(aka: workspace) and outputs
(aka: content of the output ports)director-v2
runs "docker compose up":
pulled
created
started
user service
container changes the permissions of the inputs directory (which currently is empty)director-v2
waits for all user services
to be in "running" statedirector-v2
configures dy-proxy
to accept incoming trafficFRONTEND_IN_THE_BROWSERS
displays the iframe -> users
see the content of the serviceFRONTEND_IN_THE_BROWSERS
somehow figures out that the service is ready and it pulls the inputs (this is the call sequence generated: browser
-> webserver
-> director-v2
-> dy-sidecar
)What was I truing to say in my ticket's description?
8.
to step 3.
and pull in parallel states
, inputs
, outputs
4. -> v.
is no longer valid, inputs
directory's content is now owned by one of the user services'
(whatever container was the last one to change permissions on the folder)dy-sidecar
to pull inputs, since it no longer has permissions on the folder to write dataHow to avoid this?
inputs
folder's permissionsdy-sidecar
before the user services startQuestions and answers rewritten in short:
SAN
I would prefer we do not start doing it "only for certain services" but in general
Dustin Q1:
does this solution delay the startup time?
size_of(inputs_folder)
> size_of(outputs_folder)
size_of(inputs_folder)
> size_of(states_folders)
Dustin Q2
Can you comment if this ticket touches at all the scenario when inputs change while the two connected services are already running?
As discussed today with ANE:
As discussed today with ANE:
- upgrading the integration-version of the services will allow to tackle backwards compatibility
I think it's also possible (but I need to check), to pull inputs as soon as the the user services containers are reported as ready by docker. Afterward the UI will be allowed to load the iframe. This can be done with the existing services.
again, it is about pulling the inputs before the services are started, which would be logical. that is what you said was tricky for old services.
dy-sidecar
changes ownership on states, inputs and outputs (that allows everyone to access them write/read) -> inputs should only be readonly not write, like we currently have themAcceptance criteria: