Kind reminder: I kicked off a discussion about installing podman on all
supported cfarm machines last November:
https://lists.tetaneutral.net/pipermail/cfarm-users/2023-November/001020.html
Unfortunately, it didn't get very far...
I also asked the cfarm-admins before contacting the users list. Baptiste
Jonglez' questions and my answers are attached below.
One little addendum: The overlay driver is used by default from podman 4.6
onwards. It was necessary to configure it explicitly before that version. See
this bug for some context: https://github.com/containers/podman/issues/19811
----
Hi Baptiste,
I've opened a discussion thread on cfarm-users, but I'm responding to your
questions here. I can forward these to the user list as well, if you think it
makes sense.
Some considerations though:
- it needs to be clear that this should be used to build/test/debug free
software (aka the purpose of the farm), not as a way to run long-running
services
I don't have an idea if it's possible to enforce killing user's containers on
logout, but any leftover processes will show up in the system's global process
list. They could be killed like any other long-running process if needed.
- do you know if it is required to map a range of UID/GID for each user?
The simplest approach for us would be to run all containers as the
existing farm user UID/GID.
Yes, Podman makes use of so-called subuids and subgids, which must be
configured:
https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md#etcsubuid-and-etcsubgid-configuration
Debian provides a default configuration, but it may require some tweaking for
the cfarm environment.
- storing containers in home directory is a good thing, this is where we
have available space
- can we easily setup a retention policy across all user containers, for
instance "delete all images and containers that were not used in the
last X months?"
I suppose it's possible, but there is a caveat: The VFS and OverlayFS drivers
store the actual files and directories as-is on disk, which means that a simple
file-based retention policy could potentially cripple containers and images,
instead of cleaning them up completely.
There is a podman-system-prune command that supports a date filter, though:
https://docs.podman.io/en/latest/markdown/podman-system-prune.1.html
It sounds like this is a local command that must be executed for each user
individually (despite the name).
- it looks like overlayFS requires a pretty recent kernel: that would
limit it to bookworm and later, and seemingly exclude CentOS 8 hosts
such as cfarm185
Debian has had fuse-overlayfs as a dependency of podman since bullseye, despite
not actually using OverlayFS by default. The native driver has been in Linux
since kernel 5.5 (which, incidentally, includes Debian bullseye and CentOS 8).
I don't know if there are any disadvantages in using the Fuse driver, and I
haven't tested OverlayFS before Debian trixie.
Regards,
Gregor
_______________________________________________
cfarm-users mailing list
cfarm-users@lists.tetaneutral.net
https://lists.tetaneutral.net/listinfo/cfarm-users
