Skip to content

feat: podman kubedock enhancement #224

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: podman kubedock enhancement #224

wants to merge 1 commit into from

Conversation

eye0fra
Copy link

@eye0fra eye0fra commented Jun 3, 2025

Summary

This PR introduces significant enhancements to the Podman/Kubedock integration within the UBI9 base image, focusing on improved compatibility, usability, and automation for containerized workflows that rely on Podman, especially in environments where Kubedock is enabled.

Key Changes

1. Podman Wrapper System Overhaul

  • New Wrapper Scripts:

    • podman-compose-down-wrapper.sh:
      Provides a robust replacement for podman compose down (or docker compose down) to ensure proper cleanup of containers/services, especially when running with Kubedock where standard compose down cannot directly shut down pods.

    • podman-interactive-wrapper.sh:
      Transparently intercepts problematic podman run -it ... invocations and replaces them with a workaround using podman exec, ensuring interactive sessions work reliably with Kubedock.
      The wrapper forcibly replaces any --user or -u options with the current user's numeric UID (via id -u), ensuring the container always runs as the invoking OpenShift user id, regardless of what is passed on the command line.

    • docker.sh:
      Emulates the Docker CLI using Podman, with logic to route commands through the appropriate wrapper when Kubedock is enabled.

  • Enhanced podman-wrapper.sh:

    • Detects and delegates compose down and interactive run commands to the new specialized wrappers.
    • Ensures seamless user experience and compatibility with both standard Podman and Kubedock-enabled environments.

2. Dockerfile Updates

  • Registers all new wrapper scripts in the image and sets up the environment variables for the Podman wrapper system.
  • Ensures the Docker CLI emulation is available at /usr/bin/docker and all wrappers are properly installed and owned.

3. Kubedock Setup Improvements

  • kubedock_setup.sh now:
    • Implements a retry loop to ensure kubeconfig permissions are set correctly
    • Dynamically constructs KUBEDOCK_PARAMS based on available environment variables (REQUEST_CPU, REQUEST_MEMORY, REAPER_KEEPMAX), allowing for more flexible resource and lifecycle management.

Testing

  • Manual and automated tests performed for:
    • Interactive container sessions (podman run -it ...)
    • Compose up/down workflows
    • Kubedock-enabled and standard Podman environments
    • Permission handling for kubeconfig

Backward Compatibility

  • All changes are additive and maintain compatibility with existing workflows.
  • The wrappers only activate when Kubedock is enabled or when specific command patterns are detected.

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jun 3, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: eye0fra

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@eye0fra eye0fra force-pushed the main branch 3 times, most recently from d1d387a to 215229b Compare June 3, 2025 13:29
@eye0fra eye0fra marked this pull request as ready for review June 3, 2025 18:56
@eye0fra eye0fra requested review from svor, SDawley and dkwon17 as code owners June 3, 2025 18:56
@eye0fra eye0fra force-pushed the main branch 2 times, most recently from d914534 to d5f43be Compare June 4, 2025 13:45
rohanKanojia
rohanKanojia reviewed Jul 10, 2025
View reviewed changes
base/ubi9/kubedock_setup.sh
attempts=$((attempts - 1))
sleep 5
fi
done
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I’m not entirely sure, but could there be a case where the kubeconfig file is still missing after all retry attempts? If so, should we consider explicitly throwing an error or logging a warning at that point, rather than continuing silently?

rohanKanojia
rohanKanojia reviewed Jul 10, 2025
View reviewed changes
base/ubi9/podman-cp-wrapper.sh
OC_SRC=$(get_pod_for_container "$SRC")
OC_DEST=$(get_pod_for_container "$DEST")

#echo exec oc cp "${OPTIONS[@]}" "$OC_SRC" "$OC_DEST"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
#echo exec oc cp "${OPTIONS[@]}" "$OC_SRC" "$OC_DEST"

rohanKanojia
rohanKanojia reviewed Jul 10, 2025
View reviewed changes
base/ubi9/podman-interactive-wrapper.sh
((i++)) # Skip the next argument (the value)
continue
;;
-v|--volume|-e|--env|-w|--workdir|--name|--hostname|--entrypoint|--add-host|--device|--label|--network|--cap-add|--cap-drop|--security-opt|--tmpfs|--ulimit|--mount|--publish|--expose|--dns|--dns-search|--dns-option|--mac-address|--memory|--memory-swap|--cpu-shares|--cpus|--cpu-period|--cpu-quota|--cpu-rt-runtime|--cpu-rt-period|--cpuset-cpus|--cpuset-mems|--blkio-weight|--blkio-weight-device|--device-read-bps|--device-write-bps|--device-read-iops|--device-write-iops|--shm-size|--sysctl|--log-driver|--log-opt|--restart|--stop-signal|--stop-timeout|--health-cmd|--health-interval|--health-retries|--health-timeout|--health-start-period|--userns|--cgroup-parent|--pid|--ipc|--uts|--runtime|--storage-opt|--tmpfs|--volume-driver|--volumes-from|--env-file|--add-host|--security-opt|--device|--group-add|--init|--isolation|--kernel-memory|--label|--log-driver|--log-opt|--memory-reservation|--memory-swappiness|--oom-kill-disable|--oom-score-adj|--pids-limit|--privileged|--publish-all|--read-only|--restart|--sig-proxy|--stop-signal|--tmpfs|--ulimit|--userns|--uts|--volume|--workdir)
Copy link

@rohanKanojia rohanKanojia Jul 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this list has some options listed twice e.g., --log-opt, --label, --tmpfs, --device

rohanKanojia
rohanKanojia reviewed Jul 10, 2025
View reviewed changes
base/ubi9/podman-interactive-wrapper.sh
Comment on lines +129 to +130
# Print the command for debug
# echo podman run -d "${FINAL_RUN_OPTS[@]}" "$IMAGE" tail -f /dev/null
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# Print the command for debug
# echo podman run -d "${FINAL_RUN_OPTS[@]}" "$IMAGE" tail -f /dev/null

@rohanKanojia
Copy link

I created a DevWorkspace to test this image. I tried various podman commands mentioned in this guide and was able to run most of them https://eclipse.dev/che/docs/stable/end-user-guide/running-containers-with-kubedock/

However, When I tried to test podman cp, I was getting this error:

docker-compose-sample $ vi hello.txt
docker-compose-sample $ podman cp hello.txt my-test:/tmp/
/home/user/.local/bin/podman: line 33: /usr/bin/podman-cp-wrapper.sh: Permission denied

When listing all scripts in /usr/bin I see that only podman-cp-wrapper.sh doesn't have executable permissions:

docker-compose-sample $ ls -lt /usr/bin| grep podman
-rwxrwxr-x. 1 root root     3340 Jul 10 16:19 podman-compose-down-wrapper.sh
-rw-rw-r--. 1 root root     1421 Jul 10 16:19 podman-cp-wrapper.sh
-rwxrwxr-x. 1 root root     4950 Jul 10 16:19 podman-interactive-wrapper.sh
-rwxrwxr-x. 1 root root     1841 Jul 10 16:19 podman.wrapper
-rwxr-xr-x. 1 root root 52475488 Jun 25 10:45 podman.orig
lrwxrwxrwx. 1 root root        6 Jun 25 10:45 podmansh -> podman

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rohanKanojia rohanKanojia rohanKanojia left review comments

@svor svor Awaiting requested review from svor svor is a code owner

@SDawley SDawley Awaiting requested review from SDawley SDawley is a code owner

@dkwon17 dkwon17 Awaiting requested review from dkwon17 dkwon17 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@eye0fra @rohanKanojia