feat(install): Adds support for podman(compose) #3673
Conversation
…mpatibility with docker
There was a problem hiding this comment.
Quite surprised (positively!) that the changes needed are so few! Added a few comments and on top of those, we definitely should have a test using podman now to make sure this actually works and does not break in the future (can help with this if you need me).
Thanks so much for taking the effort!
|
FYI tests failed with the following error:
|
I agree that having a test would be great. In the best case, we can run the whole suite for both docker and podman. I'm just unsure about the environment this is run on and would welcome your input and ideas very much! |
…pose build; Substitutes occurences of
|
Have converted back to draft, as there are some tweaks to make, still. |
|
@DuncanConroy Let us know if you need help in terms of anything, we'd be happy to help you. Having this PR really made us happy :) |
| @@ -29,6 +29,8 @@ Options: | |||
| --no-report-self-hosted-issues | |||
| Do not report error and performance data about your | |||
| self-hosted instance upstream to Sentry. | |||
| --container-engine-podman | |||
There was a problem hiding this comment.
Same as above: how about this just being --container-engine with a default value of docker?
There was a problem hiding this comment.
Not sure I understand your intent. This was thought as a switch to activate podman over docker. We can surely remove the autodetection and completely rely on this switch. I'd still keep it --container-engine-podman, because just using --container-engine would possibly be misleading?
There was a problem hiding this comment.
@DuncanConroy sorry for not being clearer. What I had in mind was making --container-engine a flag to pass in a custom value as in --container-engine <engine> where we default to docker (so when the flag is not passed, we will assume docker).
Although we would only support podman and docker at start, this should keep the API unchanged if we ever add new engines like runc or similar.
There was a problem hiding this comment.
Not sure how to do this with bash, tbh. :D
There was a problem hiding this comment.
I'll see what I can do about this 😅
There was a problem hiding this comment.
It is quite simple... unless you want to validate argument :)
Something like
case "$1" in
<...>
--container-engine) CONTAINER_ENGINE="$2"; shift ;;Modifies docker-compose.yml with pull_policy: never, which also works for podman-compose.
…ait_ready function
|
@DuncanConroy Any idea how to suppress that? |
I suppose you mean the hash that's written to the credentials.json file before the JSON? I don't have a clue, unfortunately. Didn't encounter that myself. |
I'm more interested on your war story with SELinux. I'd appreciate it if you share that with us later. Also, I'm glad the
We'll help you on that. My hunch is related to |
|
Regarding SELinux, I believe I ended up with `chmod 777` on all mounted
directories, as well as adding some special container label to those
directories recursively. In the end it wasn't too complicated, but took me
while to figure out the right way. I have no playbook for that,
unfortunately.
But podman and everything runs rootless, so it is definitely possible.
|
|
FYI I put this on hold on my end folks as I spent way too much time fixing these scripts and CI. If anyone can figure out why we are getting that hash, I think that would unblock most of this. |
@BYK, could you run it again with debug on? I want to participate in fixes and believe it would be faster then recreating environment by myself from the ground. |
|
@doc-sheet you mean GitHub CI debug? Because I'm fairly sure the debug for the tooling will generate output that would break things even further. Btw the setup is fairly bare bones: Ubuntu 22.04 with podman stuff installed. Clone the repo, run install.sh. That's all |
|
yeah, I meant github action restart with debug option |
|
Just made a quick look and found a fun thing. I suppose it somehow related to how python (podman-compose) parses arguments. Maybe it adds detach flag at some point which is why podman prints container id. I'll try to dig in it tomorrow. I also stepped on another issue: |
|
Could that issue be related to containers/podman-compose#707 ? |
|
@doc-sheet here's the run with debug enabled: https://github.com/getsentry/self-hosted/actions/runs/14732867860/job/41748307991?pr=3673 Thanks so much for your help 🙏🏻 |
Me and Amin don't have write access, sooo..... 🤷 |
install/build-docker-images.sh
Outdated
| $dcb --force-rm web | ||
| dcb_force="$dcb --force-rm" | ||
| if [[ "$CONTAINER_ENGINE" == "podman" ]]; then | ||
| dcb_force="$dcb --podman-rm-args='--force'" |
There was a problem hiding this comment.
looks like single quotes here passed as is which leads to
dcb_force='podman compose --no-ansi --env-file .env build --build-arg http_proxy= --build-arg https_proxy= --build-arg no_proxy= --podman-rm-args='\''--force'\'''
podman compose --no-ansi --env-file .env build --build-arg http_proxy= --build-arg https_proxy= --build-arg no_proxy= '--podman-rm-args='\''--force'\''' web
podman-compose: error: unrecognized arguments: --podman-rm-args='--force'
|
Sooo. The issue is not in args. How
podman pod exists pod_sentry-self-hosted
podman pod create --name=pod_sentry-self-hosted --infra=false --share=
podman run --name=sentry-self-hosted_relay_tmp61537 --rm -i --pod=pod_sentry-self-hosted --label io.podman.compose.config-hash=4f24dfaedb436ac5a872aaf9afd02b3d5da8c0913de8c33c0ee702a9700764db --label io.podman.compose.project=sentry-self-hosted --label io.podman.compose.version=1.3.0 --label PODMAN_SYSTEMD_UNIT=podman-compose@sentry-self-hosted.service --label com.docker.compose.project=sentry-self-hosted --label com.docker.compose.project.working_dir=/home/runner/work/self-hosted/self-hosted --label com.docker.compose.project.config_files=docker-compose.yml --label com.docker.compose.container-number=1 --label com.docker.compose.service=relay -v ./relay:/work/.relay:ro -v ./geoip:/geoip:ro --network=sentry-self-hosted_default:alias=relay getsentry/relay:nightly credentials generate --stdoutSo hash is the id of created pod written to stdout after |
|
I guess fastest way to handle this is to just disable pod creation "Ensuring Relay credentials" test passed. However to someone who would use podman-compose to run sentry pods may be neccessary (idk, never used it). --- a/install/dc-detect-version.sh
+++ b/install/dc-detect-version.sh
@@ -66,7 +66,7 @@ fi
proxy_args="--build-arg http_proxy=${http_proxy:-} --build-arg https_proxy=${https_proxy:-} --build-arg no_proxy=${no_proxy:-}"
if [[ "$CONTAINER_ENGINE" == "podman" ]]; then
proxy_args_dc="--podman-build-args http_proxy=${http_proxy:-},https_proxy=${https_proxy:-},no_proxy=${no_proxy:-}"
- dcr="$dc run --rm"
+ dcr="$dc --in-pod=false run --rm"
else
proxy_args_dc=$proxy_args
dcr="$dc run --pull=never --rm" |
|
Another workaround I guess is to run dummy command like $dcr --no-deps -T relay --version >/dev/nulljust to create pod, so next command will run in existing pod and would not print it's id |
|
@doc-sheet ah, great find! The |
|
We should also figure out volume caching story with Podman. We have 2 options:
|
|
Okay, now we need to make the tests aware of Podman |
Adds support for podman(compose), while maintaining compatibility with docker
Introduces a new script to detect podman vs. docker. Distinguishes between docker and podman minimum versions and substitutes uses of docker with a variable instead.
Closes #369
Legal Boilerplate
Look, I get it. The entity doing business as "Sentry" was incorporated in the State of Delaware in 2015 as Functional Software, Inc. and is gonna need some rights from me in order to utilize my contributions in this here PR. So here's the deal: I retain all rights, title and interest in and to my contributions, and by keeping this boilerplate intact I confirm that Sentry can use, modify, copy, and redistribute my contributions, under Sentry's choice of terms.