[ARVADOS] updated: ae970cb115251915c0a8e1052b23acdd2ab70fee

Git user git at public.curoverse.com
Thu Mar 23 09:52:45 EDT 2017


Summary of changes:
 .../install-dispatch.html.textile.liquid           | 15 +++++++++
 services/crunch-run/crunchrun.go                   | 38 ++++++++++++++++------
 2 files changed, 43 insertions(+), 10 deletions(-)

       via  ae970cb115251915c0a8e1052b23acdd2ab70fee (commit)
       via  a67faeeb159323d35d2a3229c7b5d014dc175767 (commit)
       via  82ff0337a99b7aaed626a624633b8c068dc5e142 (commit)
       via  950ae9635334cd1ca6a2738b185f6481cc3d771f (commit)
      from  83203f5c739ee0b0199e76babccb60e832a0de8e (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit ae970cb115251915c0a8e1052b23acdd2ab70fee
Merge: 83203f5 a67faee
Author: Peter Amstutz <peter.amstutz at curoverse.com>
Date:   Thu Mar 23 09:52:39 2017 -0400

    Merge branch '11255-docker-host-networking' closes #11255


commit a67faeeb159323d35d2a3229c7b5d014dc175767
Author: Peter Amstutz <peter.amstutz at curoverse.com>
Date:   Thu Mar 23 09:49:56 2017 -0400

    11255: Fix whitespace

diff --git a/services/crunch-run/crunchrun.go b/services/crunch-run/crunchrun.go
index b3d745f..062126d 100644
--- a/services/crunch-run/crunchrun.go
+++ b/services/crunch-run/crunchrun.go
@@ -1161,10 +1161,10 @@ func main() {
 		`Specify if networking should be enabled for container.  One of 'default', 'always':
     	default: only enable networking if container requests it.
     	always:  containers always have networking enabled
-        `)
+    	`)
 	networkMode := flag.String("container-network-mode", "default",
 		`Set networking mode for container.  Corresponds to Docker network mode (--net).
-        `)
+    	`)
 	flag.Parse()
 
 	containerId := flag.Arg(0)

commit 82ff0337a99b7aaed626a624633b8c068dc5e142
Author: Peter Amstutz <peter.amstutz at curoverse.com>
Date:   Wed Mar 22 12:56:34 2017 -0400

    11255: Add documentation about configuration to enable host networking always.

diff --git a/doc/install/crunch2-slurm/install-dispatch.html.textile.liquid b/doc/install/crunch2-slurm/install-dispatch.html.textile.liquid
index e6b8e1e..f50534e 100644
--- a/doc/install/crunch2-slurm/install-dispatch.html.textile.liquid
+++ b/doc/install/crunch2-slurm/install-dispatch.html.textile.liquid
@@ -120,6 +120,21 @@ You can work around this issue by disabling the Docker daemon's systemd integrat
 
 {% include 'notebox_end' %}
 
+h3. CrunchRunCommand: Using host networking for containers
+
+Older Linux kernels (prior to 3.18) have bugs in network namespace handling which can lead to compute node lockups.  This by is indicated by blocked kernel tasks in "Workqueue: netns cleanup_net".   If you are experiencing this problem, as a workaround you can disable use of network namespaces by Docker across the cluster.  Be aware this reduces container isolation, which may be a security risk.
+
+<notextile>
+<pre><code class="userinput">Client:
+  APIHost: <b>zzzzz.arvadosapi.com</b>
+  AuthToken: <b>zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz</b>
+CrunchRunCommand:
+- <b>crunch-run</b>
+- <b>"-container-enable-networking=always"</b>
+- <b>"-container-network-mode=host"</b>
+</code></pre>
+</notextile>
+
 h3. MinRetryPeriod: Rate-limit repeated attempts to start containers
 
 If SLURM is unable to run a container, the dispatcher will submit it again after the next PollPeriod. If PollPeriod is very short, this can be excessive. If MinRetryPeriod is set, the dispatcher will avoid submitting the same container to SLURM more than once in the given time span.

commit 950ae9635334cd1ca6a2738b185f6481cc3d771f
Author: Peter Amstutz <peter.amstutz at curoverse.com>
Date:   Thu Mar 23 09:49:31 2017 -0400

    11255: Add -container-enable-networking and -container-network-mode options.

diff --git a/services/crunch-run/crunchrun.go b/services/crunch-run/crunchrun.go
index 26c8a7a..b3d745f 100644
--- a/services/crunch-run/crunchrun.go
+++ b/services/crunch-run/crunchrun.go
@@ -117,6 +117,9 @@ type ContainerRunner struct {
 	cStateLock sync.Mutex
 	cStarted   bool // StartContainer() succeeded
 	cCancelled bool // StopContainer() invoked
+
+	enableNetwork string // one of "default" or "always"
+	networkMode   string // passed through to HostConfig.NetworkMode
 }
 
 // SetupSignals sets up signal handling to gracefully terminate the underlying
@@ -658,6 +661,15 @@ func (runner *ContainerRunner) CreateContainer() error {
 	for k, v := range runner.Container.Environment {
 		runner.ContainerConfig.Env = append(runner.ContainerConfig.Env, k+"="+v)
 	}
+
+	runner.HostConfig = dockerclient.HostConfig{
+		Binds:        runner.Binds,
+		CgroupParent: runner.setCgroupParent,
+		LogConfig: dockerclient.LogConfig{
+			Type: "none",
+		},
+	}
+
 	if wantAPI := runner.Container.RuntimeConstraints.API; wantAPI != nil && *wantAPI {
 		tok, err := runner.ContainerToken()
 		if err != nil {
@@ -668,9 +680,13 @@ func (runner *ContainerRunner) CreateContainer() error {
 			"ARVADOS_API_HOST="+os.Getenv("ARVADOS_API_HOST"),
 			"ARVADOS_API_HOST_INSECURE="+os.Getenv("ARVADOS_API_HOST_INSECURE"),
 		)
-		runner.ContainerConfig.NetworkDisabled = false
+		runner.HostConfig.NetworkMode = runner.networkMode
 	} else {
-		runner.ContainerConfig.NetworkDisabled = true
+		if runner.enableNetwork == "always" {
+			runner.HostConfig.NetworkMode = runner.networkMode
+		} else {
+			runner.HostConfig.NetworkMode = "none"
+		}
 	}
 
 	var err error
@@ -679,14 +695,6 @@ func (runner *ContainerRunner) CreateContainer() error {
 		return fmt.Errorf("While creating container: %v", err)
 	}
 
-	runner.HostConfig = dockerclient.HostConfig{
-		Binds:        runner.Binds,
-		CgroupParent: runner.setCgroupParent,
-		LogConfig: dockerclient.LogConfig{
-			Type: "none",
-		},
-	}
-
 	return runner.AttachStreams()
 }
 
@@ -1149,6 +1157,14 @@ func main() {
 	cgroupParent := flag.String("cgroup-parent", "docker", "name of container's parent cgroup (ignored if -cgroup-parent-subsystem is used)")
 	cgroupParentSubsystem := flag.String("cgroup-parent-subsystem", "", "use current cgroup for given subsystem as parent cgroup for container")
 	caCertsPath := flag.String("ca-certs", "", "Path to TLS root certificates")
+	enableNetwork := flag.String("container-enable-networking", "default",
+		`Specify if networking should be enabled for container.  One of 'default', 'always':
+    	default: only enable networking if container requests it.
+    	always:  containers always have networking enabled
+        `)
+	networkMode := flag.String("container-network-mode", "default",
+		`Set networking mode for container.  Corresponds to Docker network mode (--net).
+        `)
 	flag.Parse()
 
 	containerId := flag.Arg(0)
@@ -1180,6 +1196,8 @@ func main() {
 	cr.statInterval = *statInterval
 	cr.cgroupRoot = *cgroupRoot
 	cr.expectCgroupParent = *cgroupParent
+	cr.enableNetwork = *enableNetwork
+	cr.networkMode = *networkMode
 	if *cgroupParentSubsystem != "" {
 		p := findCgroup(*cgroupParentSubsystem)
 		cr.setCgroupParent = p

-----------------------------------------------------------------------


hooks/post-receive
-- 




More information about the arvados-commits mailing list