Proposal for implementing init containers #23666
Conversation
smarterclayton
added
the
kind/design
|
@kubernetes/sig-node @kubernetes/kube-api |
k8s-github-robot
added
the
size/L
| to start and that configuration is environment dependent, the image must be | ||
| altered to add the necessary templating or retrieval. | ||
|
|
||
| This proposal introduces the concept of an **init container**, one or more |
There was a problem hiding this comment.
This is a base case of DAG/workflow + pre&post-hook mechanics, except this proposal is missing the post bit.
@bgrant0607, @davidopp - Instead of speculating, I'll just ask ;-) Do you have a long term DAG/workflow model & hooks that you are planning?
There was a problem hiding this comment.
If we want to do DAG, then we'd probably have data preconditions on
containers (the volume type container as proposed), and we'd need control
conditions. I may have missed that in Brian's comment about doing volume
type container (which form the edges) as the implication of the change.
If we implement the DAG, init containers are technically still useful and
easier to reason about total resources for. I believe in a future DAG
model you could convert init containers to a DAG defined solely in the
containers slice transparently, so one does not block the other.
On Thu, Mar 31, 2016 at 9:55 AM, Timothy St. Clair <notifications@github.com
wrote:
In docs/proposals/container-init.md
#23666 (comment)
:
+March 2016
+
+## Proposal and Motivation
+
+Within a pod there is a need to initialize local data or adapt to the current
+cluster environment that is not easily achieved in the current container model.
+Containers start in parallel after volumes are mounted, leaving no opportunity
+for coordination between containers without specialization of the image. If
+two containers need to share common initialization data, both images must
+be altered to cooperate using filesystem or network semantics, which introduces
+coupling between images. Likewise, if an image requires configuration in order
+to start and that configuration is environment dependent, the image must be
+altered to add the necessary templating or retrieval.
+
+This proposal introduces the concept of an init container, one or moreThis is a base case of DAG/workflow + pre&post-hook mechanics, except this
proposal is missing the post bit.@bgrant0607 https://github.com/bgrant0607, @davidopp
https://github.com/davidopp - Instead of speculating, I'll just ask ;-)
Do you have a long term DAG/workflow model & hooks that you are planning?—
You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
https://github.com/kubernetes/kubernetes/pull/23666/files/7efdc3d36197f1ca452339d49abbc87163fb0e75#r58056775
There was a problem hiding this comment.
This really looks more like ~job/task/container-hooks despite the larger question. In other systems they are tied to life-cycle events:
- fetch (which we may or may not care about)
- pre/init (this proposal/setup)
- update (which we don't really do, but useful in batching/restart)
- evict (sometimes treated separately, billing and what not)
- exit (we probably want/tear-down)
dunno if you want to address here or explicitly defer?
There was a problem hiding this comment.
I am strongly opposed to DAG.
There was a problem hiding this comment.
Other proposed hooks include preStart and postStop, at the container level: #140
There was a problem hiding this comment.
Is "PreStart" container hooks the same as a pre-start pod hook?
A pre start container hook would just be some bash that executes a binary in the container right? If I need to insert the binary in my container, I might as well invoke it in an entrypoint script. How much value does it add?
Instead of stacking init containers at the pod level, we could just attach them to the specific container they're initializaing and call them PreStart container hooks. This feels less useful in a pod context, I'd want to wait till all containers in my pod are initialized before starting any part of the app.
There was a problem hiding this comment.
@bprashanth responding to vish i was addressing renaming. You seem to be addressing functional gap? I thought we seemed to be ok on init container as pre app-container start, merely naming.
There was a problem hiding this comment.
Ack. Pardon my confusion, I was just making sure we weren't doing a pre start container hook instead.
There was a problem hiding this comment.
@smarterclayton So what is the final decision? Is it going to stay as init containers or be renamed to pre-start containers?
There was a problem hiding this comment.
|
Ensuring I do not forget to come back and read this in more detail when not debugging node issues. (cc @derekwaynecarr) |
|
@jonboulle @philips We need to think about how this can be implemented in rkt without introducing container level intefaces to rkt for now. e.g. Introducing dependencies between the apps and let systemd of the pod to handle it? |
|
I'll incorporate whatever plan you guys have - I had assumed systemd On Thu, Mar 31, 2016 at 2:45 PM, Yifan Gu notifications@github.com wrote:
|
| block startup of containers | ||
| * Running a "pre-pod" would defeat the purpose of the pod being an atomic | ||
| unit of scheduling. | ||
|
|
There was a problem hiding this comment.
What about adding a StartCondition? The start condition could be things like, Container A is ready, Container B is successful, or Container C is exited. Pros: (maybe) fewer new concepts; can represent arbitrary dags. Cons: adds lifecycle complexity, specifically complicates the restart policy; startup order less predictable.
Is this what @timothysc proposed above?
There was a problem hiding this comment.
Example issue: We support image updates. What should happen if we update the image of a container that other containers depend on? For that matter, if a container fails and restarts, what should happen to dependent containers?
| ## Design Points | ||
|
|
||
| * Init containers should be able to: | ||
| * Perform initialization of shared volumes |
There was a problem hiding this comment.
I still think #831 is preferable for that.
There was a problem hiding this comment.
There was a problem hiding this comment.
I'll amend that to we would have a start / readiness precondition DAG if a fuse container was modeled with container volume defining the dependency.
There was a problem hiding this comment.
If init containers execute after all volumes have been mounted and initialized, it shouldn't preclude implementation of #831, no.
@bgrant0607 @smarterclayton I also feel this is something can be implemented by preStart, even you have multiple containers that depends on the init container. In this case the preStart should run in the container's namespace, which is something like what's defined in appc's pre-start. One concern might be the app container's image doesn't have the binaries available for the hooks, but I don't really bother about this, as if users wants to run the hooks, they need to have the binary available anyway, either in the app container or in the init container. To me it seems have the binaries available in the app's image reduces the overhead then using a particular image for the init container. So I am curious what values init containers add besides preStart hooks? Of course, one obvious reason could be that docker doesn't have preStart hooks today... |
|
A big design point for init containers is to not have to have the binaries On Wed, Apr 6, 2016 at 2:19 AM, Yifan Gu notifications@github.com wrote:
|
| * Download binaries that will be used in app containers as execution targets | ||
| * Inject configuration or extension capability to generic images at startup | ||
| * Perform complex templating of information avaliable in the local environment | ||
| * Register the pod with other components of the system |
There was a problem hiding this comment.
I think there are (at least) 3 categories of "init" actions:
- Fetch data into volumes. Better served by Image volumes and container volumes #831 IMO, but if this is the only hammer we're building, it could also pound that screw.
- Perform context-specific transformations of volume data, likely out-of-place, and other one-time config generation (perhaps using downward-API data). I thik this is usually container-specific rather than volume-specific, and perhaps could be done with a preStart hook (maybe leveraging a script mounted from a volume), if we had preStart hooks. Again, could be done by an init container in lieu of preStart hooks, though the separation of the init container and consuming container in the spec could be awkward.
- Perform "read-only" pre-start actions, like registration and delaying startup. Ideal for a pod-level init container.
|
What are the open issues left here for closing this proposal? I raised QoS issues above, and thought we reached an agreement already and the proposal from @vishh already covered that based our discussion and merged. Also QoS issue shouldn't be blocker here. |
|
I don't think there is anything left except to document the current On Jun 3, 2016, at 2:52 PM, Dawn Chen notifications@github.com wrote: What are the open issues left here for closing this proposal? I raised QoS — |
| * Using a volume container that does not populate a volume to delay pod start | ||
| (in the absence of init containers) would be an abuse of the goal of volume | ||
| containers. | ||
| * Container pre-start hooks are not sufficient for all initialization cases: |
There was a problem hiding this comment.
Since pre-start hooks are not implemented yet, link to the issue: #140
smarterclayton
force-pushed
the
initctrproposal
branch
2 times, most recently
from
0ce2d72 to
f46a2f7
Compare
|
Updated with all feedback to date (noted that pod QoS is higher of init container QoS or regular container QoS, which was part of the discussion above). |
|
@smarterclayton Would you provide an update on the status for the documentation for this feature as well as add any PRs as they are created? Not Started / In Progress / In Review / Done Thanks |
|
I totally forgot about this proposal since we got the implementation in.Giving it a final read through, I think it's good to go in though. |
bprashanth
added
the
lgtm
k8s-github-robot
removed
the
lgtm
|
Docs status? |
|
Docs are waiting for review in kubernetes/website#679 |
smarterclayton
force-pushed
the
initctrproposal
branch
from
f46a2f7 to
bdde25c
Compare
smarterclayton
added
release-note-experimental
lgtm
|
Added release note. |
|
GCE e2e build/test passed for commit bdde25c. |
|
GCE e2e build/test passed for commit bdde25c. |
|
Automatic merge from submit-queue |
|
Why not add general Pod level life cycle hook? AFAIK, we have container level life cycle hook, Pod level life cycle hook is also very helpful. IMO, InitContainers can implement as a kind of Pod level PreStart hook. And we have some case need Pod level PreStop hook support, it's ugly to add a PostContainers. A general Pod level life cycle hook sounds better. |
|
Hooks run in containers. For there to be a post stop hook, there must be a Can you describe a usecase for a post-stop pod hook so we can discuss On Oct 8, 2016, at 12:41 AM, Liang Mingqiang notifications@github.com @smarterclayton https://github.com/smarterclayton @bgrant0607 Why not add general Pod level life cycle hook? AFAIK, we have container IMO, InitContainer can implement as a kind of Pod level PreStart hook. And — |
For example, I have a Pod P, which running a container C. I want to commit container C and push it into registry when Pod exit. Then, I need a Pod level pre/post stop hook. In the pre/post stop hook, I run a new container which could access docker daemon(by mount |
|
I'd recommend you do this via a privileged container that observes After all, you need to know success or failure. On Oct 8, 2016, at 8:39 AM, Liang Mingqiang notifications@github.com @smarterclayton https://github.com/smarterclayton Can you describe a usecase for a post-stop pod hook so we can discuss For example, I have a Pod P, which running a container C. I want to commit — |
Addresses #1589. Implemented in #23567. Docs in kubernetes/website#679