RHOAIENG-16076: tests(gha): change to using rootful podman, so that we can share containers/storage with cri-o later
#782
Conversation
|
|
||
| [Socket] | ||
| ListenStream=%t/podman/podman.sock | ||
| SocketMode=0666 |
There was a problem hiding this comment.
jiridanek
added
the
tide/merge-method-squash
jiridanek
changed the title
containers/storage with cri-o later
|
/override ci/prow/images |
|
@jiridanek: Overrode contexts on behalf of jiridanek: ci/prow/images In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
…e can share containers/storage with cri-o later
jiridanek
force-pushed
the
jd_notebooks_gha_make/rootfulpodman
branch
from
acb4aa5 to
0237d4a
Compare
|
/override ci/prow/images |
|
@jiridanek: Overrode contexts on behalf of jiridanek: ci/prow/images In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
I have to admit I don't fully follow all of the configuration changes here, but LGTM in general overview and if it works and helps to reduce the disk-space utilized, I'm all for this. Thank you, Jiri! /lgtm |
| # Use the rootful instance of podman for sharing images with cri-o | ||
| # https://podman-desktop.io/blog/sharing-podman-images-with-kubernetes-cluster#introduction | ||
| # https://access.redhat.com/solutions/6986565 | ||
| CONTAINER_HOST: unix:///var/run/podman/podman.sock |
There was a problem hiding this comment.
when podman cli is started, it consults this env variable; when it is present, then it connects (as a client) to this socket, so things work pretty much as they would in the docker world
the server can be a systemd service running as root, and if current user has permissions on the socket (it has, because of 0666), then we run rootful podman
| # podman from brew has its own /etc (was giving me Failed to obtain podman configuration: runroot must be set) | ||
| # the (default) config location is also where cri-o gets its storage defaults (that can be overriden in crio.conf) | ||
| sudo cp ci/cached-builds/containers.conf /etc/containers.conf | ||
| sudo cp ci/cached-builds/containers.conf /home/linuxbrew/.linuxbrew/opt/podman/etc/containers.conf | ||
| sudo cp ci/cached-builds/storage.conf /etc/containers/storage.conf | ||
| sudo cp ci/cached-builds/storage.conf /home/linuxbrew/.linuxbrew/opt/podman/etc/containers/storage.conf | ||
| sudo cp ci/cached-builds/registries.conf /etc/containers/registries.conf | ||
| sudo cp ci/cached-builds/registries.conf /home/linuxbrew/.linuxbrew/opt/podman/etc/containers/registries.conf |
There was a problem hiding this comment.
these are just the default config files, but I need to have some nondefault values in them, mostly the path to containers/storage; it's pretty much the same as it was before, but i'm putting them into the systemwide location, not just into user directory, because now we run rootful podman
also, I am putting it into the systemwide locations for crio as well as podman, and because podman is installed from homebrew, it lives under /home/linuxbrew/.linuxbrew/opt/podman/etc; weird but so is life
| # Failed to pull image "bitnami/kubectl:1.26.4": reading manifest 1.26.4 in quay.io/bitnami/kubectl: unauthorized: access to the requested resource is not authorized | ||
| unqualified-search-registries = [ "docker.io" ] | ||
| short-name-mode = "enforcing" |
There was a problem hiding this comment.
i only saw this when I was doing something with kyverno (I don't intend to push that), but it looks like a good default; kyverno only has images in docker.io, but with the previous defaults somehow an attempt to pull from quay.io was made; let's stop that
|
thanks for the review; I added some comments, and I'd be happy to discuss this more; it is possible I am doing something overly complicated here; it's always best to have simple infra as possible /approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jiridanek The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
https://issues.redhat.com/browse/RHOAIENG-16076
Another chunk of the
changes to be reviewed and merged.
Description
I need to save the disk space, so I can't just copy the built images into KinD or some such local instance of kubernetes where I can run the Makefile tests. Therefore, I need to build the images in a rootful Podman, and then (subsequent PR) I'll be able to reuse it's containers/storage directory in cri-o backed kubernetes.
https://podman-desktop.io/blog/sharing-podman-images-with-kubernetes-cluster#introduction
How Has This Been Tested?
GHA
Merge criteria: