LXD containers PoC #1472
LXD containers PoC #1472
Conversation
This comment has been minimized.
This comment has been minimized.
| auto make_ssl_config() | ||
| { | ||
| QSslConfiguration ssl_config; | ||
| ssl_config.setLocalCertificate(QSslCertificate::fromPath("/home/ubuntu/.config/lxc/client.crt")[0]); | ||
| QFile keyfile{"/home/ubuntu/.config/lxc/client.key"}; | ||
| keyfile.open(QIODevice::ReadOnly); | ||
| ssl_config.setPrivateKey(QSslKey(keyfile.readAll(), QSsl::Rsa)); | ||
| ssl_config.setPeerVerifyMode(QSslSocket::VerifyNone); | ||
|
|
||
| return ssl_config; | ||
| } |
There was a problem hiding this comment.
As discussed on IRC, we can set up a QSslConfiguration object in the LXDVirtualMachineFactory ctor and then pass that to each LXDVirtualMachine to avoid having to do the set up at every request.
|
|
||
| mp::LXDVirtualMachineFactory::LXDVirtualMachineFactory(const mp::Path& data_dir) | ||
| : data_dir{data_dir}, | ||
| base_url{"https://10.225.118.1:8443/1.0"}, |
There was a problem hiding this comment.
We're going to have to think of how to really get the IP address the LXD daemon is listening on. When Multipass becomes a strict snap, we won't have a way to call lxc config get core.https_address to get it, nor can we read it from the lxd's config file itself.
I think in the short term, the best we can do is assume the lxd daemon is listening on 127.0.0.1 and possibly have a multipass config setting to allow the user to override that.
There was a problem hiding this comment.
It will have to be a config option, since the LXD host may potentially be on a different host.
We'll default to localhost in the first place, switch to the socket (to which we can gain access via the lxd snap interface) and in the long run we'll have it configurable.
There was a problem hiding this comment.
Yep, that is basically what I had in mind as well after thinking about this. And since you mentioned it, using localhost there instead of 127.0.0.1 (as I proposed) is probably better.
| { | ||
| QSslConfiguration ssl_config; | ||
| ssl_config.setLocalCertificate(QSslCertificate::fromPath("/home/ubuntu/.config/lxc/client.crt")[0]); | ||
| QFile keyfile{"/home/ubuntu/.config/lxc/client.key"}; |
There was a problem hiding this comment.
Just a placeholder to change this to use $HOME (or QStandardPaths or changes being introduced in #1467) instead of /home/ubuntu.
There was a problem hiding this comment.
We actually will need to generate those and register with LXD instead of using those - we won't get access to them when strict, and they might not exist anyway…
There was a problem hiding this comment.
Ok, that seems even better 😃
|
|
||
| #include <fmt/format.h> | ||
|
|
||
| #include <QDebug> |
There was a problem hiding this comment.
Extraneous include to be removed.
| #include <multipass/format.h> | ||
| #include <multipass/logging/log.h> | ||
|
|
||
| #include <QDebug> |
There was a problem hiding this comment.
Extraneous include to be removed.
|
As discussed, building tests fails. |
Saviq
force-pushed
the
lxd-containers-poc
branch
from
8b1c641 to
ee3ccf2
Compare
|
Travis? |
Saviq
force-pushed
the
lxd-containers-poc
branch
from
c3d4968 to
1211603
Compare
This comment has been minimized.
This comment has been minimized.
| class PowerShell; | ||
| class SSHKeyProvider; |
There was a problem hiding this comment.
Don't need these 2 forward declarations.
| } // namespace | ||
|
|
||
| mp::LXDVirtualMachineFactory::LXDVirtualMachineFactory(const mp::Path& data_dir) | ||
| : data_dir{data_dir}, base_url{"https://10.225.118.1:8443/1.0"}, manager{std::make_unique<QNetworkAccessManager>()} |
There was a problem hiding this comment.
I know the goal is to support https over Unix sockets, but for this PoC, using localhost here would make it easier to try out 😃
This comment has been minimized.
This comment has been minimized.
This is needed to communicate with the LXD Unix socket. This is a minimal implementation and can be modified later for more/better functionality.
We're just pushing metadata to LXD, no need to download anything.
Add support for data and async operations. Share a common QNetworkAccessManager where possible.
"None" is the default FetchType, tests should be explicit about their expectations.
This is for communicating with the LXD daemon via the Unix socket.
|
As I'm digging into this more and more, I'm finding that we made many assumptions in the daemon about there will always be an image vault along with a backing image host. Some functions such as I've given this some thought and although I could hack around this by short circuiting the image vault/image host if LXD is being used, I don't think this is a good long term solution given that we want LXD to be the default driver on Linux at some point. That said, I think the right solution is to introduce a LXDImageHost in which we can query and do image operations via the LXD daemon. It also possible to download the image LXD uses as a separate operation apart from LXD's launch of an instance. This way, we can still keep the same logic the daemon currently uses wrt images. That said, there are still a few unresolved issues that we need to think about.
|
- Remove the waiting logic from lxd_request(). Callers should handle the waiting as they see fit. - Create the lxd driver specific directory. - Increase lxd_request()'s default timeout to 30 seconds.
townsend2010
force-pushed
the
lxd-containers-poc
branch
from
65e58e5 to
982e2b3
Compare
|
Snap build available: |
Well, I didn't make it so that there isn't an image vault/host, did I? Rather that it doesn't download anything? I'm not saying architecturally that's the right thing, but it was the simplest way to get there? Same for
Explain what would need to change for this short-circuiting?
That may be, but it would add maintenance for… yeah, the gain is what I'm unsure of.
Here's the full list of how you can ask LXD to create instances, and here's how to create images. For URL-based images, we can pass the URL directly to LXD. For file-based ones, we'll need to upload it to LXD before creating an instance. I see the URL and file-based images as iterations over the first step. |
|
First of all, don't get me wrong, what you did makes it work and for a PoC, is just fine. What I was jotting down here are some things I've come across as I'm working to make this more of a product and transitioning it to virtual machines.
Yes, all of that is true. The problem is is that the daemon expects there to be an instance image vault in place as well and that is what is really missing. For example, if you launch a LXD instance, then stop the daemon, and then start it again, the daemon will invalidate that instance because there is no corresponding instance image database and thus, will delete that instance from Multipass's perspective (the instance is still there as far as LXD is concerned). That is just one example. Another issue is for the download NOOP. We don't provide any user feedback if LXD has to download an image so it looks like the launch is hung. The current way this feedback is done is through the actual download before getting to the virtual machine factory or creating the virtual machine. So we either have to refactor parts to get LXD download feedback back to the client (like somehow passing
Basically what I mean here is for issues like what I mentioned above, put in Thinking more about the Cool stuff about how to use |
Ack - I was missing where the failure case is ;)
There is one caveat with that, in that we would have to handle image updates - but I suppose that's exactly what we do…
Right, I can see how LXDImageVault would make sense. I suppose DefaultVMImageVault could also use a rename so it's clearer what it's for ;) |
I think LXD will still take care of updating the image this way. It's basically doing what LXD does at its launch when it downloads an image, but just as a separate step that we are in control of. |
|
This landed in #1533. |
No description provided.