Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent anonymous volume creation (PROJQUAY-6053) #135

Merged
merged 2 commits into from
Feb 2, 2024
Merged

Prevent anonymous volume creation (PROJQUAY-6053) #135

merged 2 commits into from
Feb 2, 2024

Conversation

robbmanes
Copy link
Contributor

When performing a mirror-registry installation or restarting the "quay-pod" service, baked-in volumes to the image for /tmp and /var/log get created every time the quay-app container is made within the pod. By using --image-volume=ignore, any specifically defined Dockerfile VOLUME directives do not have volumes made for them, preventing anonymous volumes from being made by the podman run command.

Prior to adding this, anonymous volumes would pile up like so for these paths:

# podman volume ls
DRIVER      VOLUME NAME
local       0789eec164cb2f213978cba153ae09674ed8ca0d4c02f08949ac8e84eae793fd
local       1212ec379e7c2d54d15ee5593dd4395be56f58dc881a825d3f404987a798d4cc
local       1bcc7e6212e42f3c9ff4a5136600cb6472753530f5bd2c456b8e17e0748af4c2
local       657f30ef11a3138d8b96dbac15fa605a6b22c13f989950d6295dec98bec34c1f
local       7c57ab0f97a41d27952ecbefb362ac43b2427649a6ec69670d79cd001425cd80
local       824354b66d51d3c44d4ed2e6c649fe7f59cf75d254b4171ca62c31a416160a7d
local       82c976fe6ea41eda153a43f93fcbe60668d12db8630bd51df9abbd8f2f30343c
local       9bc0edce4c39db9e30ff909bcae3712be979a60906cbbf01edfe989eed47c4c9
local       b9558d39dc25ea3219d8851733f9698bfd4a0959bd5521331630b5d45463120f
local       bca7a41ba4a5509148df575eef0ee783555a2603f603d5fd974fdf0e7518ed4d
local       ec47c64a11a98d9a61ed71542cb9760d3fde20f939b6b9e6ba2dcdde4da7f03e
local       pg-storage
local       quay-storage

Now just the explicitly named volumes are made from the service units and no anonymous volumes are being made:

$ systemctl restart quay-pod --user

$ podman volume ls
DRIVER      VOLUME NAME
local       pg-storage
local       quay-storage

ibazulic
ibazulic approved these changes Oct 25, 2023
View reviewed changes
Copy link
Member

@ibazulic ibazulic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@HammerMeetNail HammerMeetNail changed the title Prevent anonymous volume creation Prevent anonymous volume creation (PROJQUAY-6053) Nov 1, 2023
@BadgerOps
Copy link
Contributor

thanks for this, it was driving me nuts! 🤣

@HammerMeetNail HammerMeetNail force-pushed the ignore_existing_image_volumes branch from 0ec904f to b79f44e Compare December 1, 2023 21:45
@HammerMeetNail HammerMeetNail added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed ok-to-test Indicates a non-member PR verified by an org member that is safe to test. labels Dec 1, 2023
harishsurf
harishsurf requested changes Dec 7, 2023
View reviewed changes
Copy link
Contributor

@harishsurf harishsurf left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@robbmanes thank sm for this! Could you also add the flag for the redis.service.j2? I am seeing one anon. volume created by redis on every pod restart on my machine:

$ podman volume ls
DRIVER      VOLUME NAME
local       1f63663da44c2dbc5561971877437ca2d9bdd48015fdb275eede096046123481
local       c317d65382a3df07e290cced33854642fe8f66f24b3ee0f801a6e62873830545
local       pg-storage
local       quay-storage

@jforce
Copy link

jforce commented Jan 16, 2024

Thanks for the work on this, can we finish it up and get it merged? IHAC who frequently complain about this

@bcaton85
Copy link
Contributor

@robbmanes Could take another look when you have a moment?

@robbmanes
Prevent anonymous volume creation
a8c19b6 
When performing a mirror-registry installation or restarting the
"quay-pod" service, baked-in volumes to the image for "/tmp" and
"/var/log" get created every time the "quay-app" container is made
within the pod.  By using "--image-volume=ignore", any specifically
defined Dockerfile VOLUME directives do not have volumes made for them,
preventing anonymous volumes from being made by the "podman run"
command.

Signed-off-by: Robb Manes <[email protected]>
@robbmanes robbmanes force-pushed the ignore_existing_image_volumes branch from b79f44e to a8c19b6 Compare January 29, 2024 13:46
@robbmanes
Copy link
Contributor Author

Sorry all; I got super sick for a long time. Am doing better now, PR squashed/updated to include redis template, tested WFM.

robbmanes
robbmanes commented Jan 29, 2024
View reviewed changes
Copy link
Contributor Author

@robbmanes robbmanes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added the redis template in a squashed commit.

@robbmanes robbmanes requested a review from harishsurf January 29, 2024 15:32
@harishsurf harishsurf added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed ok-to-test Indicates a non-member PR verified by an org member that is safe to test. labels Jan 29, 2024
@HammerMeetNail HammerMeetNail added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed ok-to-test Indicates a non-member PR verified by an org member that is safe to test. labels Feb 2, 2024
@harishsurf harishsurf enabled auto-merge (squash) February 2, 2024 19:16
@harishsurf harishsurf merged commit 7687e88 into quay:main Feb 2, 2024
14 of 15 checks passed
@robbmanes robbmanes deleted the ignore_existing_image_volumes branch February 4, 2024 15:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ibazulic ibazulic ibazulic approved these changes

@harishsurf harishsurf harishsurf approved these changes

Assignees
No one assigned
Labels
ok-to-test Indicates a non-member PR verified by an org member that is safe to test.
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@robbmanes @BadgerOps @jforce @bcaton85 @ibazulic @harishsurf @HammerMeetNail