Kubernetes-compatible PMM Server Docker image (rootless)
Description
How to test
How to document
AFFECTED CS IDs
is blocked by
is duplicated by
relates to
Confluence content
Activity
Nurlan Moldomurov November 13, 2023 at 1:41 PM
this one should be done within https://jira.percona.com/browse/PMM-12523
Abel Cabezas May 4, 2021 at 4:15 PM
I have tried to run *perconalab/pmm-server-openshift:1.15.0* image in Openshift and I am getting the following error:
Which refers to the command:
cat /tmp/prometheus.yml > /etc/prometheus.yml
Commenting that line leads to more errors related with files that fall under folders belonging to root:root.
(i.e. files under /etc or under /var).
Denys Kondratenko May 4, 2021 at 2:24 PM
for Kubernetes we need to be able to mount /srv
as a volume, thus either pmm-managed
should prepare it or we need to run ansible stages.
For ansible stages we need to rewor them to have them separate from instalation and etc.
It could like this:
initContainers:
name: pmm-init
image: docker.io/percona/pmm-server:2
init container runs full ansible container prepare jobs could take ~2min
command: ['sh', '-c', "[ \"$(ls -A /srv)\"] && echo 'Init is not needed, /srv is not empty' || ( echo 'Init: /srv is empty preparing...'; ansible-playbook -vvv -i 'localhost,' -c local /opt/ansible/pmm2-docker/main.yml; ansible-playbook -vvv -i 'localhost,' -c local /opt/ansible/pmm2/post-build-actions.yml; echo 'Init: complete, /srv prepared' )"]
volumeMounts:
name: pmm-volume
mountPath: "/srv"
currently it takes ~2min, shouldn't take that long.
Mykola Marzhan October 15, 2018 at 7:01 AM
Work is finished, I have created a separate image - https://github.com/Percona-Lab/percona-openshift/tree/master/images/pmm-server-image
tag - perconalab/pmm-server-openshift:1.15.0
Mykola Marzhan September 24, 2018 at 10:02 AM
alpha version of pmm-server - perconalab/pmm-server-fb:PMM-2891-add-rootless-pmm-server-c979722-rootless
work still in progress
PR - https://github.com/Percona-Lab/pmm-submodules/pull/91
update not expected to work
We need a separate container for this.
We should make PMM Server Docker image Kubernetes-compatible.
Use
/readyz
API for Docker HEALTHCHECK – moved to PMM-3019, DONEDo not use
root
user anywhere inside container – except for in-place updates:Remove
logrotate
; use logging to stdout/stderr andsupervisord
for managing log files - DONERemove
crond
and all cron jobsUse
pmm
user fornginx
; listen on ports > 1023 – moved to PMM-4996Run ClickHouse as non-root
Start programs as
pmm
userStart
supervisord
aspmm
userThe UI upgrade feature for non-k8s environments should not be broken and disabled for k8s.
(Comments below refer to the work done for PMM 1.x. See also previous discussion on PMM-354)
QA: run usual automation, check there is no root inside