Open GinoHarlos opened 1 year ago
Please describe the changes with a few sentences.
watch -n 1 docker exec ${FQDN} systemctl status univention-container-mode-firstboot.service ...
( univention-container-mode-firstboot-on-failure.service and univention-container-mode-recreate-on-failure.service )
With the "fix latest version" patch it is posible to start a container with UCS 4.4-0 and it will update/upgrade itself to version 5.2-0 ( univention-corporate-server:4.4-0-test )
or 5.0-3 ( univention-corporate-server:4.4-0 )
with default mirror url.
docker \
run \
--detach \
--env DEBUG=TRUE \
--cap-add SYS_ADMIN \
--volume /sys/fs/cgroup:/sys/fs/cgroup:ro \
--restart unless-stopped \
--tmpfs /tmp:exec \
--tmpfs /run/lock \
--tmpfs /run \
--hostname dc.ucs.example \
--name dc.ucs.example \
docker.io/ginoharlos/univention-corporate-server:4.4-0
watch -n 1 docker exec dc.ucs.example systemctl status univention-container-mode-firstboot.service univention-container-mode-firstboot-on-failure.service
...
● univention-container-mode-firstboot.service - Univention container mode firstboot
Loaded: loaded (/lib/systemd/system/univention-container-mode-firstboot.service; enabled; vendor preset: enabled)
Drop-In: /usr/lib/systemd/system/univention-container-mode-firstboot.service.d
└─override.conf
...
● univention-container-mode-firstboot-on-failure.service - Univention container mode firstboot
Loaded: loaded (/lib/systemd/system/univention-container-mode-firstboot-on-failure.service; static; vendor preset: enabled)
Drop-In: /usr/lib/systemd/system/univention-container-mode-firstboot-on-failure.service.d
└─override.conf
docker \
exec dc.ucs.example \
systemd-analyze blame | egrep -- univention-container-mode
...
13min 20.335s univention-container-mode-firstboot.service
docker \
exec dc.ucs.example /bin/bash -c 'systemd-detect-virt --container && univention-check-join-status && \
ucr search --brief ^repository/.*/server ^version ^appcenter/apps ^appcenter/docker$'
...
docker
Joined successfully
appcenter/docker: false
repository/app_center/server: appcenter.software-univention.de
repository/mirror/server: <empty>
repository/online/component/.*/server: <empty>
repository/online/server: https://updates.software-univention.de/
version/erratalevel: 648
version/patchlevel: 3
version/version: 5.0
Please describe the changes with a few sentences.
With amount of minimal changes to the firstboot deploy, get a "fork" but with pre installed system role to save time. The default firstboot needs 15 to 20 minutes for a first start/boot. If you run the same with a pre installed container image, it takes less the 10 minutes.
for dc in pdc sdc bdc mdc; do docker exec ${dc}.ucs.example systemd-analyze blame | egrep -- univention-container-mode-pre-installed-role.service; done
...
6min 12.302s univention-container-mode-pre-installed-role.service ( primary directory node )
5min 17.301s univention-container-mode-pre-installed-role.service ( replica directory node )
6min 529ms univention-container-mode-pre-installed-role.service ( backup directory node )
4min 27.356s univention-container-mode-pre-installed-role.service ( managed node )
...
for dc in pdc sdc bdc mdc; do docker exec ${dc}.ucs.example systemd-analyze blame | egrep -- univention-container-mode-pre-installed-role.service; done
...
11min 38.519s univention-container-mode-pre-installed-role.service ( primary directory node --ad-dc-- included )
8min 19.857s univention-container-mode-pre-installed-role.service ( replica directory node --ad-dc-- included )
9min 9.014s univention-container-mode-pre-installed-role.service ( backup directory node --ad-dc-- included )
4min 49.985s univention-container-mode-pre-installed-role.service ( managed node )
...
For an slimify container image it will take 300 to 400 MB of space and as normal 50 to 100 MB on top ( gziped tar archive on the container registry ).
Please describe the changes with a few sentences.
Depending on the container start and its privileges, there are more and more errors in individual systemd service units. This is now recognized for every container start and repaired in a nice or hard way.
journalctl --full --all --no-pager --no-hostname --boot | awk '/^.*systemd\[1\]\:.*(NAMESPACE|BPF.*cgroup.*failed.*)$/{ print $0 }'
... ${unit} Attaching egress BPF program to cgroup ... ${unit} failed ...
... ${unit} Main process exited, code=exited, status=226/NAMESPACE
Please describe the changes with a few sentences.
Please describe the changes with a few sentences.
Please describe the changes with a few sentences.
Plan B for parallel join ( try to get a certificate before joining )
Please make sure you considered the following things
Link to the issue in Bugzilla
Description of the changes
Please describe the changes with a few sentences.
Motivation
Description
In case of starting many directory nodes or managed nodes at the same time, there are coming a lot of certificates in a short period of time too and maybe you will get a join failed. To prevent this fact, the container try to get a certificate before joining to a primary directory node. This functionality is particularly useful with the container option dcwait and using docker-compose too.