search

containers / build

another build tool for container images (archived, see https://github.com/rkt/rkt/issues/4024)
Apache License 2.0
342 stars 80 forks source link

/dev, /proc and /sys are not mounted in my running rkt container #322

Closed kfirufk closed 7 years ago

kfirufk commented 7 years ago

Helllo...

I'm using php docker image as the base image for my container, it's in order to add additional extensions to php.

everything works fine.. the image is created.. but when I'm running it and I execute 'rkt enter ID', I notice that /sys, /proc and /sys are not mounted. any ideas why?

this is my build script:


#!/usr/bin/env bash
set -e
if [ "$EUID" -ne 0 ]; then
    echo "This script uses functionality which requires root privileges"
    exit 1
fi

PHP_VERSION=7.1.7
# Start the build with an empty ACI
acbuild --debug begin docker://php:${PHP_VERSION}-fpm-alpine

# In the event of the script exiting, end the build
acbuildEnd() {
    export EXIT=$?
    acbuild --debug end && exit $EXIT
}
trap acbuildEnd EXIT

ACBUILD_FLAGS="--debug"
# Name the ACI
acbuild --debug set-name tux-in.com/php-fpm
acbuild --debug label add version 0.1
acbuild --debug label add arch amd64
acbuild --debug label add os linux

acbuild ${ACBUILD_FLAGS} run -- apk upgrade -U

until acbuild ${ACBUILD_FLAGS} run -- apk add freetype alpine-sdk sed libtool zlib-dev openssl-dev bzip2-dev curl-dev jpeg-dev freetype-dev gettext-dev libmcrypt-dev libpq postgresql-dev sqlite-dev libedit-dev dpkg dpkg-dev; do
 echo "failed downloaded packages.. retrying.."
 sleep 2
done

until acbuild ${ACBUILD_FLAGS} run -- docker-php-ext-configure zip; do
 echo "failed downloaded packages.. retrying.."
 sleep 2
done

acbuild ${ACBUILD_FLAGS} run -- docker-php-ext-install -j5 zip bz2 curl exif fileinfo gd gettext iconv mcrypt  pdo_mysql pdo_pgsql pdo_sqlite readline reflection session || true
acbuild ${ACBUILD_FLAGS} port add php-fpm tcp 9000

acbuild ${ACBUILD_FLAGS} set-exec -- /usr/local/sbin/php-fpm -D
acbuild ${ACBUILD_FLAGS} write --overwrite tuxin-php-fpm-1.0-linux-amd64.aci

and the systemd file that starts rkt-php-fpm at the following:

[Unit] Description=PHP-FPM Requires=network-online.target local-fs.target After=network-online.target local-fs.target

[Install] WantedBy=multi-user.target


[Service]
Slice=machine.slice
ExecStart=/usr/bin/rkt run --net=host --insecure-options=image --volume php-etc,kind=host,source=/mnt/storage/php/etc,readOnly=true --volume nginx-vhosts,kind=host,source=/mnt/storage/nginx/vhosts,readOnly=false --volume logs,kind=host,source=/mnt/storage/php/log,readOnly=false --volume html,kind=host,source=/mnt/storage/nginx/html,readOnly=false --mount volume=php-etc,target=/usr/local/etc --mount volume=nginx-vhosts,target=/var/www/html-vhosts --mount volume=logs,target=/usr/local/var/log --mount volume=html,target=/var/www/html /home/ufk/dev/acbuild-builds/tuxin-php-fpm-1.0-linux-amd64.aci
KillMode=mixed
Restart=always
RestartSec=0
ExecStopPost=/usr/bin/rkt gc --mark-only

I'm on Container Linux by CoreOS 1465.0.0 (Ladybug) with rkt version 1.27.0 and latest acbuild from git.

thank you! :)

lucab commented 7 years ago

Can you check if the real application actually sees those? I think this is just an artifact of rkt enter behavior, which is not exactly entering the same namespaces as seen by the running application.

kfirufk commented 7 years ago

the real application sees those! :) thanks if I need to enter the rkt container to build and test some stuff and I need a proper /proc for that, would I need to open ssh for each container or is there a different way to resolve this?

lucab commented 7 years ago

This probably need some patching on rkt enter side to detect there is a nested mount namespace and to enter it. The tricky part is that this additional mount namespace is optional (systemd creates it) and it must be detected by inspecting the top pid of your app, which is unknown.

As a workaround if you just need /proc and /sys, after rkt-entering you can either mount them or nsenter the mount-ns of your app, depending on which binary you have available.

Can you please report this to the rkt bug tracker? It is probably not so easy and widespread to fix it immediately, but it's worth tackling eventually.

kfirufk commented 7 years ago

of course :) thank you i'm not familiar with nsenter, i'll read about it

kfirufk commented 7 years ago

rkt github issue: https://github.com/rkt/rkt/issues/3744

lucab commented 7 years ago

Thanks! I've captured my previous comment there, closing this bug then.