-
-
Notifications
You must be signed in to change notification settings - Fork 383
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support "native" podman as backend #85
Comments
Technically it is a matter of implementing this interface: https://github.com/laszlocph/woodpecker/blob/master/cncd/pipeline/pipeline/backend/backend.go and this is how it is implemented for Docker: https://github.com/laszlocph/woodpecker/blob/master/cncd/pipeline/pipeline/backend/docker/docker.go So technically it is probably possible. As for should the project focus on it, is a different question. In my surroundings I don't see many companies want to differentiate on what container engines they are running, and just default on Docker. Even though the drawbacks of Docker's architecture is known to some of them, adopting alternatives have not reached a high level. Or they don't talk about it, or I don't listen :) Also these companies are not Fedora/RedHat/Centos shops, so I have limited visibility on the adoption of Podman. But I do see the benefits of Podman over Docker. I haven't used it, but I might try. All in all:
|
So I tried to use podman with woodpecker. It failed in several interesting ways. I used podman on f34, either the package (quite recent 3.3.0), or the latest git devel version (self compiled). It failed first because podman didn't pull the plugins/git image, and I do not understand why as it work if I do it manually. Once the plugin is in the local registry, the build proceed. Then it failed because the workingDir directory is not created automatically. I see the volume creation, and the code should create it on disk in /var/lib/something, but it doesn't seems to mount it correctly. Again, it seems to be dependent on the backend, i tried with crun and runc, no luck. My plan was to debug that, but I haven't yet looked more. However, I also looked at what it would requires to write a backend. Podman has a set of bindings, so this shouldn't have been too hard for a go beginner like me. However, since woodpecker has switched to vendoring in 7551357 , my understanding is that we also have to vendor podman, which in turn pull a rather large number of dependencies, some who requires C headers (btrfs, devicemapper). I do think this would put a undue burden on woodpecker CI and deployment. So for now, the solution for using podman is either find why woodpecker work with docker but not the docker API exposed by podman (likely a issue podman side), or add a backend in a way that do not bloat the build (again, likely a issue on podman binding, or maybe I do not it wrong ). |
That sounds quite interesting. I never used podman, but as I am totally interested in a Kubernetes agent, it is probably a good discussion about how backends for agent should be handled in the long term. Currently I see two options for it:
Meanwhile if you need help debugging woodpecker feel free to write me on Discord. |
I've just used a --use-podman boolean flag for the agent for now. Most of the code would be either just duplicated for every agent or it would need a bigger rewrite I guess. |
So I just tried again with podman and it now work.... almost. I was able to use on a self hosted gitea the following config:
The server run on Fedora 34 with podman-3.3.1-1.fc34.x86_64, with woodpecker 34cfabb |
Ok so it worked because I patched podman myself, and forgot about it. Upgrading to 3.4.0 resulted in the same workingDir issue |
Status update, I managed to get podman working (for real this time), and the patch was merged upstream, and will be in the next release. Now the only last issue is one around registry. It seems for some reason, the docker compat API of podman will not download remote images automatically, but if you download manually before (using podman pull on the agent), it work without problem, so this one can be worked around more easily. |
I think it will work with newer podman, but I would appreciate someone to do a test, since I already managed to get my test wrong. |
looking forward do see a pull for the 2nd issue :) I'll think we should still add podman as "native" option too - but what ever get released first will do it for the majority i think |
I am sure upstream podman would also prefer a native API, but it seemed to pull a rather high amount of dependencies and code, even by go standard of vendoring due to the web of import in podman code base (the PR changed 2430 files, and current vendor directory is 2794 files). In turn, this will make the compilation time increase, and the binary size too (like, it almost doubled when I tried to make a mock podman backend before #305 was proposed). Nothing unfixable, but this look like a rather tedious problem to solve. Last time I looked, it was because the specgen package from podman pull the whole world, so that's a issue podman side to be solved, and afaik, one that wasn't reported yet. |
Here is the PR for the last problem I encountered: |
So the PR was wrong, but this is being worked on containers/podman#12318 and containers/podman#12317 . In the mean time, I also found another incompatibility on containers/podman#12320 (which might be trickier to solve) |
So, after discussion with the podman devs, we reached a consensus that the compatibility issue is tricky to solve, but it should be fixed. However, my fix is not the right one, and as I do not think there is no easy fix, it might take some time before it get done. In the mean time, there is a few way that can be explored on woodpecker side:
(to be clear, the last one is not a serious proposal) |
Ok, it seems like using Podman rootless works just fine for me. What I did was manually link |
Podman 4.0 was released yesterday, (announce is not yet published, and will likely not be until next week), and it should now fix the short name issue I faced, so that would be working out of the box. I will do a quick test later. |
With PR #763, setting the |
So as Fedora 36 is out very soon, so I upgraded my CI and I can confirm that podman 4.0 work out of the box if the socket is correctly set (eg, either with the variable, or by using the rpm podman-docker or equivalent). I guess we can close that issue after adding some documentation, I guess ? |
docker compatibility mode works now ... -> #901 - so renamed the issue |
Can someone send an example ? i can't get it working using both commands :
but :
i'm kinda lost |
I think your |
If I managed to make it work on Fedora 38 with the latest version of podman in rootless mode:
|
In case anybody else has issues with the Effectively, set the contents of your containers.conf (in my case, it's [containers]
log_driver="json-file"
[engine]
events_logger="file" I guess it was reporting events to a different location than the podman service expected to find them. Now I have woodpecker running entirely through podman! This is important to me, because I need to use CI to run With the above config, I was able to run woodpecker with a Podman backend, but in order to run [containers]
label=false
devices=["/dev/fuse"]
default_capabilities = [
"CHOWN",
"DAC_OVERRIDE",
"FOWNER",
"FSETID",
"KILL",
"NET_BIND_SERVICE",
"SETFCAP",
"SETGID",
"SETPCAP",
"SETUID",
"SYS_CHROOT",
"SYS_ADMIN",
"MKNOD",
] This allows podman (buildah, I guess?) to do the the stuff that it needs to do to mount and run rootful containers in the podman rootless container. I couldn't get rootless-in-rootless working, even when following the information in this guide, but the issues I was running into might have been specific to the container in question, and I might have been able to fix it with some hackery. edit: And now socketed podman won't run for me at all, due to some debug logging from conmon. Oh well; I tried. |
It looks like v2 broke woodpecker-agent running in a container via podman. In v1.0.5 I regularly get these errors when running pipelines but everything still works fine, including buildx, etc:
But in v2.0.0 & latest HEAD (237b225 at time of this post) it seems to actually fail on this error now:
I didn't have the time to look through the large diff between v1 & v2 but it does appear that this error should actually be caught here: woodpecker/pipeline/backend/docker/docker.go Lines 361 to 366 in 237b225
|
Hello Laszlo!
Is it possible to integrate podman in woodpecker?
Podman does not run as a daemon (like docker : /var/run/docker.sock) but is fully compatible with the docker command line.
Another point is that podman can also mount secrets via mount.conf, then you maybe have also solved Global Secrets.
Also cgroups v2 is native supported by podman.
Further information about podman:
The text was updated successfully, but these errors were encountered: