Creating ‘openedx’ user takes too long when building openedx-dev image #323
Comments
|
Any solution yet ? this happen to me too, for latest version of tutor.
In the mean time I bypass the openedx-dev user creation by commenting following line in ~/.local/share/tutor/env/build/openedx-dev/Dockerfile : the openedx-dev image was successfully built with drawback it will be running with root user rather than openedx user. |
I don't have any solutions yet for the drawback you have specified in the end. |
|
Any solution yet? Having the same problem :( |
|
I just had this happen to me on version 10.0.11. Commenting out the lines in Dockerfile as @shashikiranraifox outlined worked for me. |
regisb
added
the
enhancement
|
I am currently investigating this, but it's not easy for me to replicate the issue, so it would be great if I could get some help from the community. In particular, I would like to know if replacing the Could someone please try this out? In case of trouble I can provide a more detailed example in a separate branch. |
|
I would be willing to give it a shot. Can you give me a bit more details on what you would like me to try. |
|
@ToddLichty You should install tutor from the "regisb/openedx-dev-chown" branch of the source repo. Then run: |
|
@regisb That worked. There was a 5 minute pause on However, I then tried to run the dev lms just to make sure it worked and it has been stuck at: for the past 15 minutes. |
|
@ToddLichty please paste here the output of the following command: |
|
docker-compose -f
/home/todd/.local/share/tutor/env/local/docker-compose.yml -f
/home/todd/.local/share/tutor/env/dev/docker-compose.yml --project-name
tutor_dev run --rm --no-deps --entrypoint=bash -e -c lms find /openedx -not
-path "/openedx/edx-platform/*" -not -user openedx > /dev/null
real 0m4.096s
user 0m1.137s
sys 0m0.117s
|
|
I was running into this issue as well. I just "hotfixed" my current dockerfile by putting this line after the create-user line: I uncommented the This worked for me and the lms starts without problems. Unfortunately I don't know why I started having this problem: I'm reasonably sure that a week ago I could build the same version Dockerfile without problems. |
|
I just remembered something I changed in between not having/noticing this problem and having this problem: I moved my |
|
Hi @regisb , I believe there is nothing we can do about it, it's kernal related. See this docker/for-linux#388 |
|
@shadinaif Well, we could |
|
|
Hi, I have been experimenting with a rework of Tutor's Dockerfiles to take full advantage of BuildKit optimizations, and alleviate a few Docker image pain-points, in this Tutor fork. Included in the rework is a solution to this issue. I was also previously seeing hours-long build times for the 'openedx-dev' image. To get around this particular problem, I modified the dev image such that it no longer extends to the 'openedx' (local) image. Instead, Quite a few other optimizations, fixes, and nice-to-haves are also included:
I also made some CLI changes which handle automatically sharing layer caches between images. Performance wise, I have noticed significantly faster build times for both the 'openedx' and 'openedx-dev' image. Because of the problem described in this issue, combined with build cache optimizations, the speedup for the 'openedx-dev' image is extreme. I haven't performed a proper benchmark, but the build times went from well over 1 hour to less than 30 minutes for me. The combined size of the two images should also be smaller. The most relevant files are: https://github.com/SkillUpTech/tutor/blob/docker-buildkit/tutor/templates/build/openedx/Dockerfile The changes are still somewhat of a work in progress and have not been thoroughly tested. However, I would be happy work on rolling these into a PR/TEP. Is this something that the Tutor project would be interested in, @regisb? |
|
Hi @thomas-skillup! It's really funny that you post this now, as I am currently working on pretty much the same thing. My goal is twofold:
Your comment includes many good ideas ( I have one question: with your development image, at runtime, you do go through chroot via /openedx/dev_bin/docker-entrypoint.sh, right? Does the "Setting file permissions for user openedx..." step take long in your environment? |
|
Hello again @regisb! About unprivileged containers (and Interesting about running the containers unprivileged--I didn't have this in mind for the same reason, but I already have this implemented in the 'dev-user' stage of the openedx-dev Dockerfile here. The 'dev-user' stage could be simply moved into the production ('openedx') Dockerfile so that we start operating as the
About local.in For eliminating the duplicate installation of requirements in COPY --from=code /openedx/edx-platform /openedx/edx-platform`to COPY --from=python-requirements /openedx/edx-platform /openedx/edx-platformThe reason being that the .egg-info folders were generated in the 'python-requirements' stage, but were subsequently left behind. About the apt-get concern I'm not sure if I was entirely clear about what I meant here. I didn't mean to imply that I wanted to create a catastrophic quantity of layers, like one per dependency. I was referring purely to the formatting of the Dockerfile. To illustrate, here's an example. Say you have a line that looks like: RUN apt-get update && apt-get install -y wget curl llvm && rm -rf /var/lib/apt/lists/*Now, if you have two different developers working on separate features, and one would like to modify/remove/pin the RUN apt-get update && apt-get install -y \
wget \
curl \
llvm \
&& rm -rf /var/lib/apt/lists/*Which could easily be modified, if needed, to i.e. RUN apt-get update && apt-get install -y \
wget==1.8.7 \
curl \
llvm==9.7.1 \
&& rm -rf /var/lib/apt/lists/*Unless, of course, you're referring to the first stage of my 'openedx-dev' Dockerfile implementation. The only reason for having a few RUNs in this stage is that this instruction in the 'openedx-dev' Dockerfile is identical to this instruction in the 'openedx' Dockerfile. Or, at least, I meant it to be (oops--I see they are actually slightly different at time of writing--an easy fix). The same logic applies to this 'openedx-dev' instruction and this 'openedx' instruction. Because of this, there's no need to regenerate these two layers while building the development image. They can just be reused from the production image. If this is undesirable for some reason, the three RUNs in the 'base' phase of my 'openedx-dev' Dockerfile could simply be combined--no functionality would be affected. About the entrypoint and chroot The "Setting file permissions for user openedx..." step has taken no-time flat for me, as the permissions changes are already in place, at least for the most part. As it stands I'm still going through the /openedx/dev_bin/docker-entrypoint.sh script, yes. There shouldn't actually be any need for the chroot at all though--this part could just be removed.
I'm a bit out of my element here, but I was under the impression that this wouldn't be much of an issue. I think Openshift should automatically mount the files with the correct permissions for the user running in the container (I could very well be wrong, though). For Docker Compose, you could perform the bind-mounts as a host user with the same UID as the container user. Since I kept the UID parameterized, the image could easily be built such that the UID matches that of the host user. If the host user is root though, this might be an issue. But it might still work just fine (with the caveat that the container is now, by definition, running privileged). Or, as you mentioned, there could be a separate job for handling permissions on mounted directories, either via a direct EDIT: I think clever usage of groups would be the better alternative here. The mounted volumes should have some group ID which can be determined at the convenience of the host. The user inside of the container can then be added to this group by some means at run time. The end result is that the user in the container has access to all of the files in the system, either as owner or as a member of the correct group. And no mass-modification of ownership bits is needed at all--just the one If the UID of the container user itself needs to be dynamic, we would just change the COPY commands to specify a unique group, too. The the user would be created and added to both the group used for the container layers and the group in the bind-mounts at some point prior to executing the service. Or maybe none of these approaches are correct ¯\_(ツ)_/¯. Just throwing out ideas. |
With this change, containers are no longer run as "root" but as unprivileged users. This is necessary in some environments, notably some Kubernetes clusters. To make this possible, we need to manually fix bind-mounted volumes in docker-compose. This is pretty much equivalent to the behaviour in Kubernetes, where permissions are fixed at runtime if the volume owner is incorrect. Thus, we have a consistent behaviour between docker-compose and Kubernetes. We achieve this by bind-mounting some repos inside "*-permissions" services. These services run as root user on docker-compose and will fix the required permissions, as per build/permissions/setowner.sh These services simply do not run on Kubernetes, where we don't rely on bind-mounted volumes. There, we make use of Kubernete's built-in volume ownership feature. With this change, we get rid of the "openedx-dev" Docker image, in the sense that it no longer has its own Dockerfile. Instead, the dev image is now simply a different target in the multi-layer openedx Docker image. This makes it much faster to build the openedx-dev image. Because we declare the APP_USER_ID in the dev/docker-compose.yml file, we need to pass the user ID from the host there. The only way to achieve that is with a tutor config variable. The downside of this approach is that the dev/docker-compose.yml file is no longer portable from one machine to the next. We consider that this is not such a big issue, as it affects the development environment only. We take this opportunity to replace the base image of the "forum" image. There is now no need to re-install ruby inside the image. The total image size is only decreased by 10%, but re-building the image is faster. Close #323.
With this change, containers are no longer run as "root" but as unprivileged users. This is necessary in some environments, notably some Kubernetes clusters. To make this possible, we need to manually fix bind-mounted volumes in docker-compose. This is pretty much equivalent to the behaviour in Kubernetes, where permissions are fixed at runtime if the volume owner is incorrect. Thus, we have a consistent behaviour between docker-compose and Kubernetes. We achieve this by bind-mounting some repos inside "*-permissions" services. These services run as root user on docker-compose and will fix the required permissions, as per build/permissions/setowner.sh These services simply do not run on Kubernetes, where we don't rely on bind-mounted volumes. There, we make use of Kubernete's built-in volume ownership feature. With this change, we get rid of the "openedx-dev" Docker image, in the sense that it no longer has its own Dockerfile. Instead, the dev image is now simply a different target in the multi-layer openedx Docker image. This makes it much faster to build the openedx-dev image. Because we declare the APP_USER_ID in the dev/docker-compose.yml file, we need to pass the user ID from the host there. The only way to achieve that is with a tutor config variable. The downside of this approach is that the dev/docker-compose.yml file is no longer portable from one machine to the next. We consider that this is not such a big issue, as it affects the development environment only. We take this opportunity to replace the base image of the "forum" image. There is now no need to re-install ruby inside the image. The total image size is only decreased by 10%, but re-building the image is faster. In order to run the smtp service as non-root, we switch from namshi/smtp to devture/exim-relay. This change should be backward-compatible. Note that the nginx container remains privileged. We could switch to nginxinc/nginx-unprivileged, but it's probably not worth the effort, as we are considering to get rid of the nginx container altogether. Close #323.
|
@thomas-skillup please have a look at the following PR: #505 I'm curious to hear what you think. |
With this change, containers are no longer run as "root" but as unprivileged users. This is necessary in some environments, notably some Kubernetes clusters. To make this possible, we need to manually fix bind-mounted volumes in docker-compose. This is pretty much equivalent to the behaviour in Kubernetes, where permissions are fixed at runtime if the volume owner is incorrect. Thus, we have a consistent behaviour between docker-compose and Kubernetes. We achieve this by bind-mounting some repos inside "*-permissions" services. These services run as root user on docker-compose and will fix the required permissions, as per build/permissions/setowner.sh These services simply do not run on Kubernetes, where we don't rely on bind-mounted volumes. There, we make use of Kubernete's built-in volume ownership feature. With this change, we get rid of the "openedx-dev" Docker image, in the sense that it no longer has its own Dockerfile. Instead, the dev image is now simply a different target in the multi-layer openedx Docker image. This makes it much faster to build the openedx-dev image. Because we declare the APP_USER_ID in the dev/docker-compose.yml file, we need to pass the user ID from the host there. The only way to achieve that is with a tutor config variable. The downside of this approach is that the dev/docker-compose.yml file is no longer portable from one machine to the next. We consider that this is not such a big issue, as it affects the development environment only. We take this opportunity to replace the base image of the "forum" image. There is now no need to re-install ruby inside the image. The total image size is only decreased by 10%, but re-building the image is faster. In order to run the smtp service as non-root, we switch from namshi/smtp to devture/exim-relay. This change should be backward-compatible. Note that the nginx container remains privileged. We could switch to nginxinc/nginx-unprivileged, but it's probably not worth the effort, as we are considering to get rid of the nginx container altogether. Close #323.
With this change, containers are no longer run as "root" but as unprivileged users. This is necessary in some environments, notably some Kubernetes clusters. To make this possible, we need to manually fix bind-mounted volumes in docker-compose. This is pretty much equivalent to the behaviour in Kubernetes, where permissions are fixed at runtime if the volume owner is incorrect. Thus, we have a consistent behaviour between docker-compose and Kubernetes. We achieve this by bind-mounting some repos inside "*-permissions" services. These services run as root user on docker-compose and will fix the required permissions, as per build/permissions/setowner.sh These services simply do not run on Kubernetes, where we don't rely on bind-mounted volumes. There, we make use of Kubernete's built-in volume ownership feature. With this change, we get rid of the "openedx-dev" Docker image, in the sense that it no longer has its own Dockerfile. Instead, the dev image is now simply a different target in the multi-layer openedx Docker image. This makes it much faster to build the openedx-dev image. Because we declare the APP_USER_ID in the dev/docker-compose.yml file, we need to pass the user ID from the host there. The only way to achieve that is with a tutor config variable. The downside of this approach is that the dev/docker-compose.yml file is no longer portable from one machine to the next. We consider that this is not such a big issue, as it affects the development environment only. We take this opportunity to replace the base image of the "forum" image. There is now no need to re-install ruby inside the image. The total image size is only decreased by 10%, but re-building the image is faster. In order to run the smtp service as non-root, we switch from namshi/smtp to devture/exim-relay. This change should be backward-compatible. Note that the nginx container remains privileged. We could switch to nginxinc/nginx-unprivileged, but it's probably not worth the effort, as we are considering to get rid of the nginx container altogether. Close #323.
With this change, containers are no longer run as "root" but as unprivileged users. This is necessary in some environments, notably some Kubernetes clusters. To make this possible, we need to manually fix bind-mounted volumes in docker-compose. This is pretty much equivalent to the behaviour in Kubernetes, where permissions are fixed at runtime if the volume owner is incorrect. Thus, we have a consistent behaviour between docker-compose and Kubernetes. We achieve this by bind-mounting some repos inside "*-permissions" services. These services run as root user on docker-compose and will fix the required permissions, as per build/permissions/setowner.sh These services simply do not run on Kubernetes, where we don't rely on bind-mounted volumes. There, we make use of Kubernete's built-in volume ownership feature. With this change, we get rid of the "openedx-dev" Docker image, in the sense that it no longer has its own Dockerfile. Instead, the dev image is now simply a different target in the multi-layer openedx Docker image. This makes it much faster to build the openedx-dev image. Because we declare the APP_USER_ID in the dev/docker-compose.yml file, we need to pass the user ID from the host there. The only way to achieve that is with a tutor config variable. The downside of this approach is that the dev/docker-compose.yml file is no longer portable from one machine to the next. We consider that this is not such a big issue, as it affects the development environment only. We take this opportunity to replace the base image of the "forum" image. There is now no need to re-install ruby inside the image. The total image size is only decreased by 10%, but re-building the image is faster. In order to run the smtp service as non-root, we switch from namshi/smtp to devture/exim-relay. This change should be backward-compatible. Note that the nginx container remains privileged. We could switch to nginxinc/nginx-unprivileged, but it's probably not worth the effort, as we are considering to get rid of the nginx container altogether. Close #323.
With this change, containers are no longer run as "root" but as unprivileged users. This is necessary in some environments, notably some Kubernetes clusters. To make this possible, we need to manually fix bind-mounted volumes in docker-compose. This is pretty much equivalent to the behaviour in Kubernetes, where permissions are fixed at runtime if the volume owner is incorrect. Thus, we have a consistent behaviour between docker-compose and Kubernetes. We achieve this by bind-mounting some repos inside "*-permissions" services. These services run as root user on docker-compose and will fix the required permissions, as per build/permissions/setowner.sh These services simply do not run on Kubernetes, where we don't rely on bind-mounted volumes. There, we make use of Kubernete's built-in volume ownership feature. With this change, we get rid of the "openedx-dev" Docker image, in the sense that it no longer has its own Dockerfile. Instead, the dev image is now simply a different target in the multi-layer openedx Docker image. This makes it much faster to build the openedx-dev image. Because we declare the APP_USER_ID in the dev/docker-compose.yml file, we need to pass the user ID from the host there. The only way to achieve that is with a tutor config variable. The downside of this approach is that the dev/docker-compose.yml file is no longer portable from one machine to the next. We consider that this is not such a big issue, as it affects the development environment only. We take this opportunity to replace the base image of the "forum" image. There is now no need to re-install ruby inside the image. The total image size is only decreased by 10%, but re-building the image is faster. In order to run the smtp service as non-root, we switch from namshi/smtp to devture/exim-relay. This change should be backward-compatible. Note that the nginx container remains privileged. We could switch to nginxinc/nginx-unprivileged, but it's probably not worth the effort, as we are considering to get rid of the nginx container altogether. Close #323.
|
This should be resolved in the nightly branch, and I expect that it will also be resolved once Maple is released (Dec. 9th). Feel free to reopen if you think otherwise. And thanks to everyone for your participation! |
With this change, containers are no longer run as "root" but as unprivileged users. This is necessary in some environments, notably some Kubernetes clusters. To make this possible, we need to manually fix bind-mounted volumes in docker-compose. This is pretty much equivalent to the behaviour in Kubernetes, where permissions are fixed at runtime if the volume owner is incorrect. Thus, we have a consistent behaviour between docker-compose and Kubernetes. We achieve this by bind-mounting some repos inside "*-permissions" services. These services run as root user on docker-compose and will fix the required permissions, as per build/permissions/setowner.sh These services simply do not run on Kubernetes, where we don't rely on bind-mounted volumes. There, we make use of Kubernete's built-in volume ownership feature. With this change, we get rid of the "openedx-dev" Docker image, in the sense that it no longer has its own Dockerfile. Instead, the dev image is now simply a different target in the multi-layer openedx Docker image. This makes it much faster to build the openedx-dev image. Because we declare the APP_USER_ID in the dev/docker-compose.yml file, we need to pass the user ID from the host there. The only way to achieve that is with a tutor config variable. The downside of this approach is that the dev/docker-compose.yml file is no longer portable from one machine to the next. We consider that this is not such a big issue, as it affects the development environment only. We take this opportunity to replace the base image of the "forum" image. There is now no need to re-install ruby inside the image. The total image size is only decreased by 10%, but re-building the image is faster. In order to run the smtp service as non-root, we switch from namshi/smtp to devture/exim-relay. This change should be backward-compatible. Note that the nginx container remains privileged. We could switch to nginxinc/nginx-unprivileged, but it's probably not worth the effort, as we are considering to get rid of the nginx container altogether. Close #323.
With this change, containers are no longer run as "root" but as unprivileged users. This is necessary in some environments, notably some Kubernetes clusters. To make this possible, we need to manually fix bind-mounted volumes in docker-compose. This is pretty much equivalent to the behaviour in Kubernetes, where permissions are fixed at runtime if the volume owner is incorrect. Thus, we have a consistent behaviour between docker-compose and Kubernetes. We achieve this by bind-mounting some repos inside "*-permissions" services. These services run as root user on docker-compose and will fix the required permissions, as per build/permissions/setowner.sh These services simply do not run on Kubernetes, where we don't rely on bind-mounted volumes. There, we make use of Kubernete's built-in volume ownership feature. With this change, we get rid of the "openedx-dev" Docker image, in the sense that it no longer has its own Dockerfile. Instead, the dev image is now simply a different target in the multi-layer openedx Docker image. This makes it much faster to build the openedx-dev image. Because we declare the APP_USER_ID in the dev/docker-compose.yml file, we need to pass the user ID from the host there. The only way to achieve that is with a tutor config variable. The downside of this approach is that the dev/docker-compose.yml file is no longer portable from one machine to the next. We consider that this is not such a big issue, as it affects the development environment only. We take this opportunity to replace the base image of the "forum" image. There is now no need to re-install ruby inside the image. The total image size is only decreased by 10%, but re-building the image is faster. In order to run the smtp service as non-root, we switch from namshi/smtp to devture/exim-relay. This change should be backward-compatible. Note that the nginx container remains privileged. We could switch to nginxinc/nginx-unprivileged, but it's probably not worth the effort, as we are considering to get rid of the nginx container altogether. Close #323.
As per the documentation, I ran the following command to build the openedx-dev image
tutor images build openedx-devOS Version is: 18.04.4 LTS
Tutor Version is: 3.12.3
I left it system to run overnight(almost 12 hours), yet the command was not successful. It was stuck at running the create-user.sh. Below is the log:
(I have used a workaround as specified here, but this is a stop gap arrangement)
The text was updated successfully, but these errors were encountered: