[RHEL8-OSP15] Container Runtimes integration - Status report #7

Emilien Macchi emilien at redhat.com
Fri Jan 11 16:20:48 UTC 2019

Welcome to the seventh status report about the progress we make to Container
Runtimes into Red Hat OpenStack Platform, version 15.
You can read the previous report here:
Our efforts are tracked here: https://trello.com/b/S8TmOU0u/tripleo-podman

- Some OSP folks will meet in Brno next week, to work together on
RHEL8/OSP15. See [1].
- We have replaced the Docker Healthchecks by SystemD timers when Podman is
deployed. Now figuring out the next steps [2].
- Slow progress on the Python-based uploader (using tar-split + buildah),
slowed by bugs.
- We are waiting for podman 1.0 so we can build / test / ship it in TripleO

Context reminder
The OpenStack team is preparing the 15th version of Red Hat OpenStack
Platform that will work on RHEL8.
We are working together to support the future Container Runtimes which
replace Docker.

- Implemented Podman healthchecks with SystemD timers:
- Renamed SystemD services controlling Podman containers to not conflict
with baremetal services https://review.openstack.org/#/c/623241/
- podman issues (reported by us) closed:
  - pull: error setting new rlimits: operation not permitted
  - New podman version introduce new issue with selinux and relabelling:
relabel failed "/run/netns": operation not supported
  - container create failed: container_linux.go:336: starting container
process caused "setup user: permission denied"
  - "podman inspect --type image --format exists <image>" reports a
not-friendly error when image doesn't exist in local storage
  - container create failed: container_linux.go:336: starting container
process caused "process_linux.go:293: applying cgroup configuration for
process caused open /sys/fs/cgroup/cpuset/machine.slice/cpuset.cpus: no
such file or directory" https://github.com/containers/libpod/issues/1841
- paunch/runner: test if image exists before running inspect
- Fixing a bunch of issues with docker-puppet.py to reduce chances of race
- A lot of SElinux work, to make everything working in Enforced mode.
- tar-split packaging is done, and will be consumed in TripleO for the
python image uplaoded

In progress
- Still investigating standard_init_linux.go:203: exec user process caused
\"no such file or directory\" [5]. This one is nasty and painful. It
involves concurrency and we are evaluating solutions, but we'll probably
end up reduce the default multi-processing of podman commands from 6 to 3
by default.
- Investigating ways to gate new versions of Podman + dependencies:
- Investigating how to consume systemd timers in sensu (healtchecks) [2]
- Investigating and prototyping a pattern to safely spawn a container from
a container with systemd https://review.openstack.org/#/c/620062
- Investigating how we can prune Docker data when upgrading from Docker to
Podman https://review.openstack.org/#/c/620405/
- Using the new "podman image exist" in Paunch
- Still implementing a Python-based container uploader (using tar-split and
buildah) - this method will be the default later:
- Testing future Podman 1.0 in TripleO [3]
- Help the Skydive team to migrate to Podman [4]

Podman 1.0 contains a lot of fixes that we need (from libpod and vendored
as well).

Any comment or feedback is welcome, thanks for reading!

[2] https://trello.com/c/g6bi5DQF/4-healthchecks
[3] https://trello.com/c/2tXNLJUN/58-test-podman-10
[4] https://trello.com/c/tW935FGe/56-migrate-ansible-skydive-to-podman
[5] https://github.com/containers/libpod/issues/1844
Emilien Macchi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190111/f1d6e85c/attachment-0001.html>

More information about the openstack-discuss mailing list