-
Notifications
You must be signed in to change notification settings - Fork 305
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sysroot: Rework /var handling to act like Docker VOLUME /var
#3166
Conversation
Skipping CI for Draft Pull Request. |
428b823
to
ab06743
Compare
/test all |
This is intended to pair with ostreedev/ostree#3166 If we detect a new enough ostree version, then by default don't remap content in `/var`, assuming that ostree itself will handle it. In order to unit test this (without depending on the ostree version that happens to be on the host) add an API to the importer which allows overriding the version.
We've long struggled with semantics for `/var`. Our stance of "/var should start out empty and be managed by the OS" is a strict one, that pushes things closer to the original systemd upstream ideal of the "OS state is in /usr". However...well, a few things. First, we had some legacy bits here which were always populating the deployment `/var`. I don't think we need that if systemd is in use, so detect if the tree has `usr/lib/tmpfiles.d`, and don't create that stuff at `ostree admin stateroot-init` time if so. Building on that then, we have the stateroot `var` starting out actually empty. When we do a deployment, if the stateroot `var` is empty, make a copy (reflink if possible of course) of the commit's `/var` into it. This matches the semantics that Docker created with volumes, and this is sufficiently simple and easy to explain that I think it's closer to the right thing to do. Crucially...it's just really handy to have some pre-existing directories in `/var` in container images, because Docker (and podman/kube/etc) don't run systemd and hence don't run `tmpfiles.d` on startup. I really hit on the fact that we need `/var/tmp` in our container images by default for example. So there's still some overlap here with e.g. `/usr/lib/tmpfiles.d/var.conf` as shipped by systemd, but that's fine - they don't actually conflict per se.
OK yep, I've tested this more "end-to-end" in combination with ostreedev/ostree-rs-ext#602 and things work well. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
This is intended to pair with ostreedev/ostree#3166 If we detect a new enough ostree version, then by default don't remap content in `/var`, assuming that ostree itself will handle it. In order to unit test this (without depending on the ostree version that happens to be on the host) add an API to the importer which allows overriding the version.
One thing I was thinking about here is how this interacts with people who want to do a separate Looking at the current anaconda logic (assuming tasks aren't being run in parallel) then it looks like what happens is that the deploy task combines the stateroot-init with a deployment - and that's when we copy the container And at this point, there's no mount point there. It's only after that that the mount point task runs - this is basically reimplementing the logic from So in order to properly get the commit/container-image Move data out of stateroot
|
So if I understand this correctly, this behaves like the At installation time, it will copy What happens on updates? If we're moving away from the factory option, shouldn't we completely remove all traces of it to remove confusion? |
The default is that ostree will see that However, note this aligns with "factory reset" semantics; one can do a flow of |
This is tricky. There's two problems being fixed here. The first is that I discovered belatedly that The second is that In theory something else could have started to rely on ostree including the tmpfiles.d rule for But yes...perhaps we should just remove it. Yeah, I will do a PR. |
BTW, one thing I realized this doesn't handle is that anyone doing |
OK, split that into #3222. |
We've long struggled with semantics for
/var
. Our stance of "/var should start out empty and be managed by the OS" is a strict one, that pushes things closer to the original systemd upstream ideal of the "OS state is in /usr".However...well, a few things. First, we had some legacy bits here which were always populating the deployment
/var
. I don't think we need that if systemd is in use, so detect if the tree hasusr/lib/tmpfiles.d
, and don't create that stuff atostree admin stateroot-init
time if so.Building on that then, we have the stateroot
var
starting out actually empty.When we do a deployment, if the stateroot
var
is empty, make a copy (reflink if possible of course) of the commit's/var
into it.This matches the semantics that Docker created with volumes, and this is sufficiently simple and easy to explain that I think it's closer to the right thing to do.
Crucially...it's just really handy to have some pre-existing directories in
/var
in container images, because Docker (and podman/kube/etc) don't run systemd and hence don't runtmpfiles.d
on startup.I really hit on the fact that we need
/var/tmp
in our container images by default for example.So there's still some overlap here with e.g.
/usr/lib/tmpfiles.d/var.conf
as shipped by systemd, but that's fine - they don't actually conflict per se.