podman machine init: add a --with-foreign-arch flag #13667
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: zhenya-1007 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@rhatdan Wouldn't enabling qemu-static & Co by default, "make people pay for what they don't use" in many cases? |
openshift-ci
bot
added
needs-rebase
|
/cc @baude @Luap99 @vrothberg |
| # if the package is already installed. This is useful if the package is | ||
| # added to the root image in a future Fedora CoreOS release as it will | ||
| # prevent the service from failing. | ||
| ExecStart=/usr/bin/rpm-ostree install --apply-live --allow-inactive qemu qemu-user-static qemu-user-binfmt |
There was a problem hiding this comment.
@dustymabe what happens with ^^ when an FCOS update is downloaded and applied on a reboot?
There was a problem hiding this comment.
I'll have to wait until an FCOS update is out, but my semi-educated guess is that /lib/binfmt.d will become empty following an FCOS update, so the installation will be triggered following an update, due to the Condition* clauses in the [Install] section. I can report that this does only run once for a given FCOS version, due to those same Condition* clauses (once the packages are installed /lib/binfmt.d is no longer emtpy).
There was a problem hiding this comment.
An update should be handled without an issue. You want to make sure this only runs once. Our docs use ConditionPathExists=!/var/lib/%N.stamp and ExecStart=/bin/touch /var/lib/%N.stamp for this.
There was a problem hiding this comment.
@dustymabe when this runs during boot up, does the entire boot sequence pause and wait for the install to complete? Or can the user begin interacting with the FCOS VM while the install occurs?
There was a problem hiding this comment.
Should be able to go ahead and start interacting with the machine.
There was a problem hiding this comment.
+1 I have set up FCOS VMs with a similar systemd unit "by hand", and I am able to ssh to the machine, and interact with it while the installation is running. Once I ssh to the machine, I can use systemctl status install-qemu-static.service to check on how the installation is progressing. (Obviously, I need to wait for the installation to finish before I can run "foreign" binaries).
|
I want some time to think about this one and to see what others think. I was thinking this would eventually be something to GUI would enable rather than built into podman. If we were to move forward with it, I'm wondering if it should be an opt in thing vs default. From the code snippets, I could not confirm if it was ... anyways, the installation of those packages are not trivial in time. The real goal should be that qemu-static be shipped as part of the image itself, imho. |
Please do take time to think about it. Are there any GUIs for podman that exist today? If so, could you point me to it/them?1 In the end, I want to have some way for users to run "foreign" arch binaries. I appreciate that users have the theoretical option of coming up with an ignition file, and providing it as the
It is an opt-in in the current implementation, precisely because I didn't want to make everyone pay for what only some people will use. Take another look at line 255 in
What would motivate FCOS to make this change? The "I want to run binaries for 'foreign' CPU(s)" use case strikes me as very far fetched in the context in which [I am imagining] the team that works on FCOS operates. Footnotes
|
|
|
||
| flags.BoolVar( | ||
| &initOpts.QemuStatic, | ||
| "with-foreign-arch", false, |
There was a problem hiding this comment.
I am not sure whether the naming was debated already. But other commands just use --arch (e.g., podman run), so I'd prefer to keep the naming consistent and rename it to --arch.
There was a problem hiding this comment.
This is a bool and does not take a value so it would not be consistent with --arch. But I also do not like the name, maybe --emulation would fit better?
There was a problem hiding this comment.
I agree it's out of step with the style in which the rest of the options are named.
I am listing below some possibilities I can think of. How do you [plural] feel about them?
--cross--cross-arch--non-native--emulation--emulate
FWIW, the two that start with --cross are my favourite (evocative of cross-compilation).
Incidentally, do you [plural] know off the top of your head if spf13/cobra does "unique prefix" option matching (i.e., if there's an option spelled --foobar, and no other option starts with --foo, will it accept just --foo in place of --foobar?)
pkg/machine/ignition.go
Outdated
| IFS="|";\ | ||
| for iprxy in $(/usr/bin/base64 -d ${FWCFGRAW}); do\ | ||
| echo "export $iprxy" >> ${PROFILE_CONF}; done ) || \ | ||
| echo "#Got nothing from QEMU FW_CFG"> ${PROFILE_CONF}' |
There was a problem hiding this comment.
Not sure the whitespace changes above belong into this PR.
There was a problem hiding this comment.
Other people were stumbling over them also, so I rewrote the commit to get rid of them.
| WantedBy=multi-user.target | ||
| ` | ||
|
|
||
| if ign.QemuStatic { |
There was a problem hiding this comment.
Please add a comment on what the regex is intended to do. Ideally, move it into a separate function with unit tests.
There was a problem hiding this comment.
I have added a comment. I think a separate function would be overkill.
|
There's no need to install the binaries directly on the host. All that's needed is pointing the kernel at some available binaries to use. This is easily done by using the pre-built container images from https://github.com/multiarch/qemu-user-static or taking that as a pattern to build your own. The |
@cevich Yes, I remember coming across that project. Is the "only for x86_64 hosts" part of the README accurate? If so, then I am afraid your proposed solution does not address my primary use case, which is running x86_64 binaries on Mac M1 (i.e., the host is aarch64) -- or at least not "out of the box." That said, maybe it would be more productive for me to contribute an " Parenthetically, I have found documentation for multiarch/qemu-user-static to be quite hard to follow. In fact, I was thoroughly confused as to what was going on until I found a reference to |
|
Those specific container images aren't actually needed, you can roll your own. All you need is a aarch64 container image with the qemu-user-static binaries available. Run that on the host (VM) with |
@cevich Thank you for explaining! So, it sounds like, with a bit of copying-pasting of existing code, running amd64 binaries on Mac M1 under podman could be as simple as One just needs to fill in the ellipses in the |
The flag is qemu-specific. It causes `qemu-static` & friends to be installed on the machine so that, e.g., x86_64 binaries can be run on aarch64 (aka "arm64").
Signed-off-by: Evgeny ("Zhenya") Roubinchtein <[email protected]>
I have done manual testing as described in the PR message, so (I believe it is the case that) [NO NEW TESTS NEEDED]
Explain what manipulation of the text of the `ready` unit intends to accomplish.
Signed-off-by: Evgeny ("Zhenya") Roubinchtein <[email protected]>
Use the `/var/lib/<service_name>.stamp` convention for the `install-qemu-static` unit.
Signed-off-by: Evgeny ("Zhenya") Roubinchtein <[email protected]>
|
I would rather document this via the container image and potentially ship the container image for qemu-user-static rather then modify the podman machine command. Since podman machine can support multiple different VM images, it seems like it would make sense to either ship qemu-user-static preinstalled in the VM (My preference) or to create an multi platform container image on quay.io/podman with qemu-user-static and tell people how to use it. |
If we want to build and ship something multi-arch outselves, my build-push PR brings that in to podman. All we need is a |
I agree with the sentiment, actually: I just didn't recognize Parenthetically, I don't know that you'll have much luck convincing even the FCOS team2 to ship qemu-user-static as part of FCOS, because of the, "why make every user pay for what only a few users will actually need" argument -- but I have been wrong before (occasionally). ;-) Footnotes |
This PR really isn't about "building multi-arch images as part of Podman/OpenShift infrastructure": it's about enabling users of podman to build/run multi-arch images in the context of their podman installation. I appreciate that your PR does good things, but, AFAICS, it's at best tangentially related to this PR. |
|
|
||
| Enable running binaries compiled for "foreign" CPUs (e.g., run x86_64 binaries on | ||
| Apple M1 silicon). This option only works for Qemu machines. It works by installing | ||
| qemu-static and qemu-binfmt packages on the machine. The initialization process will |
There was a problem hiding this comment.
'packages on the machine.' I think you mean packages on the Qemu machine. Suggested change to remove the concern about installing it on the host machine instead.
|
@cevich I am looking at it again, and, from what I have seen so far, the "have the kernel eagerly load, and then persist an interpreter for binfmt_misc" game that multiarch/qemu-user-static is playing doesn't work when the host system has SELinux enabled (as FCOS does in its default configuration). Can you point me to an example where the multiarch/qemu-user-static approach works even when SELinux is enabled on the host system? What I have tried (prompts are intended to be suggestive of command running on the FCOS host vs the container): Could you please provide a transcript of a working example at a similar level of detail?1 Footnotes
|
|
Oof, I did not encounter SELinux related problems AFAIR, it basically "just worked" 😖 What I'm using right now (in automation) under CentOS Stream-8, and does a: But then it runs multi-arch operations from within a super-privileged container: That works with SELinux enabled on the host, but obvious it's been disabled for the container, along with seccomp. I'm not an expert in either, but I think that's necessary in this case. |
|
Update: Just tried on F35, installed Have you tried running the initial container with |
|
@cevich Thank you for following up on this! Turns out, if I add, Case closed. Thanks again for all your help with this! |
|
Perhaps this should be documented somewhere -- ideally somewhere that's easy to find from Podman documentation... |
|
What AVCs were you seeing? |
|
Dan, I think the exact AVC's maybe don't matter since the binaries are coming from within another container (which also has |
|
SGTM |
|
But, but... Installing Footnotes
|
|
IMO bundling it on the machine OS is the right way to go. With aarch64 becoming more prevalent on developer systems and increasing usage of multi arch deployments usage of it is likely to be common. FWIW Docker also bundles it on M1, so —platform just works out of the box |
|
I agree it should be in the machine. |
|
@n1hility @rhatdan: "bundling it on the machine OS" doesn't specify how such bundling is to be accomplished. I see at least two options:
Are you speaking in support of one of the options above, and if, so which one? Or are you suggesting a completely different approach? |
|
@zhenya-1007 i am just a contributor so don’t take this response as any sort of authority, but i would suggest both directions: propose this to the base FCOS since it seems to be on-mission and then consider a layer approach as a transition solution (or final if they decline) - I personally think it should be included by default without a required option to init. Note that if everyone agrees this is the way to go there would need to be a port for WSL as well (I can help with that). |
|
I would prefer that it comes by default from FCOS. The issue might be size. If not then I say Podman installs it by default from a container image. I don't think we should have it as an option, since I don't think most users would understand or care. |
github-actions
bot
added
the
locked - please file new issue/PR
The flag is qemu-specific. It causes
qemu-static& friends to be installed on the machine so that, e.g., x86_64 binaries can be run on aarch64 (aka "arm64"). This is "scratching an itch" for me because I am on Mac M1, but I want to build Docker images whose Dockerfiles contain RUN instruction(s) for x86_64.I did manual testing as follows, so (I believe it is the case that) [NO TESTS NEEDED].
Preparation:
podmanper instructions inbuild_osx.md./bin/podman machine stop && ./bin/podman machine rm -fRun without the new option:
./bin/podman machine init --now./bin/podman machine sshsudo systemctl status install-qemu-static.service: shows up asdisabledandinactivesudo systemctl edit ready.service: theAfterline looks like this:# After=remove-moby.service sshd.socket sshd.service./bin/podman machine run --arch amd64 fedora:35 uname -a: fails with{"msg":"exec container process/usr/bin/uname: Exec format error","level":"error","time":"2022-03-26T08:07:03.000635889Z"}(as expected)Clean up:
./bin/podman machine stop && ./bin/podman machine rm -fRun with the new option:
./bin/podman machine init --with-foreign-arch --now(unfortunately it's now perceptably slower)./bin/podman machine sshsudo systemctl status install-qemu-static.service: shows up asenabledand having run successfullysudo systemctl edit ready.service: theAfterline looks like this:# After=remove-moby.service sshd.socket sshd.service install-qemu-static.service./bin/podman machine run --arch amd64 fedora:35 uname -a: printsLinux 81c4b2d16270 5.15.18-200.fc35.aarch64 #1 SMP Sat Jan 29 12:44:33 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux