README
¶
rkt-run
This package provides the rkt-run command, which
is intended to be installed setuid root, to enabled unprivileged users
to run containers using rkt, in a controlled fashion.
There are also rkt-run-helper and rkt-run-slave commands - see below.
rkt-run provides the following features:
-
enable unprivileged users to run rkt
-
enable concurrent use of pods
-
preservation of working directory of host within container
The system-wide configuration enables the system administrator to
control the following aspects of the rkt run command line:
-
aliases for images and their executables
-
volumes to be mounted
-
automatic prefix re-writing of image names
-
general, run, and image options
Basic Usage
All rkt run options are controlled by the config file,
/etc/rktrunner.toml, which should be carefully setup
by the local sysadmin.
Example use:
$ rkt-run -i -v qiime_
The -v option prints the full rkt run command which is
being run, as follows:
# /usr/bin/rkt --insecure-options=image run --interactive --net=host --set-env=HOME=/home/guestsi --volume volume-config,kind=empty,uid=511,gid=511 --volume volume-data,kind=empty,uid=511,gid=511 --volume home,kind=host,source=/home/guestsi quay.io/biocontainers/qiime:1.9.1--py27_0 --mount volume=home,target=/home/guestsi --user=511 --group=511 --exec sh
Note that the options are taken from the config file, which in this case looks like this:
rkt = "/usr/bin/rkt"
default-interactive-cmd = "sh"
[options]
general = ["--insecure-options=image"]
run = ["--net=host", "--set-env=HOME=/home/{{.Username}}"]
image = ["--user={{.Uid}}", "--group={{.Gid}}"]
[volume.home]
volume = "kind=host,source={{.HomeDir}}"
mount = "target=/home/{{.Username}}"
[volume.volume-config]
volume = "kind=empty,uid={{.Uid}},gid={{.Gid}}"
[volume.volume-data]
volume = "kind=empty,uid={{.Uid}},gid={{.Gid}}"
[alias.qiime_]
image = "quay.io/biocontainers/qiime:1.9.1--py27_0"
For further information, see the manpages for rkt-run and rktrunner.toml
Concurrent use of pods
The configuration option worker-pods may be used to enable concurrent use of pods. This is an optimisation, useful when large numbers of concurrent application processes are required. For each user and image, a single pod may be shared across all the application instances, by means of rkt enter.
When using worker-pods, it is important to remove idle workers using rktrunner-gc, which should be run regularly as root.
Before starting many application instances in parallel, it is necessary to prime the pump, that is, create an initial worker. This may easily be done using rkt-run --prepare, which simply creates a worker for the image in question, and exits without running the application.
Note that this feature is unlikely to be useful without the following rkt issues being addressed.
These are expected to be fixed in rkt 1.28.0.
rkt-run-helper
rkt-run-helper is a simple wrapper, which invokes rkt-run passing
as first argument the name it was invoked with, along with all the
other arguments.
The intended use is to have a directory on the system containing links
to rkt-run-helper, with names ruby, julia, etc. Then, if this
directory is on the path, scripts starting with the standard shebang
line as below will use rkt-run to run the containerized interpreter.
This relies on aliases for these programs being defined in rktrunner.toml.
#!/usr/bin/env ruby
puts 'Hello World from Ruby version ' + RUBY_VERSION
rkt-run-slave
rkt-run-slave is another wrapper, which runs within the container.
It optionally changes to the working directory as on the host.
Documentation
¶
Index ¶
- Constants
- Variables
- func BuildEnviron(environ map[string]string) []string
- func CanonicalImageName(raw string) string
- func GetConfig(path string, c *configT) error
- func GetFragments(c *configT, vars map[string]string, f *fragmentsT) error
- func GetWorkerPodUuids(state bool) (map[string]bool, error)
- func NewPathWaiter(path string) chan error
- func NewWaiter(w Waitable) chan error
- func ParseEnviron(env []string) map[string]string
- func PrintEnviron(w io.Writer, environ map[string]string)
- func UpdateEnviron(environ map[string]string, keyval string)
- func VisitPods(walker func(*VisitedPod) bool) error
- func WarnError(err error)
- func WarnOnFailure(err error)
- func Warnf(format string, args ...interface{})
- func WorkerPodDir(uuid string) string
- type ClassOptionsT
- type CommandT
- func (c *CommandT) AppendArgs(args ...string)
- func (c *CommandT) Exec() error
- func (c *CommandT) PreserveFile(f *os.File)
- func (c *CommandT) Print(w io.Writer)
- func (c *CommandT) Run() error
- func (c *CommandT) SetEnviron(envv []string)
- func (c *CommandT) Start() error
- func (c *CommandT) StartDaemon() error
- func (c *CommandT) Wait() error
- type ImageAliasT
- type ModeOptionsT
- type RunnerT
- type VisitedPod
- type VolumeT
- type Waitable
- type Worker
Constants ¶
const BatchMode = "batch"
valid modes
const CommonMode = "common"
const FetchClass = "fetch"
const GeneralClass = "general"
valid option classes
const ImageClass = "image"
const InteractiveMode = "interactive"
const OptionsTable = "options"
const RunClass = "run"
const WORKER_APPNAME_PREFIX = "rktrunner-"
Variables ¶
var ErrNotRoot = errors.New("must run as root")
Functions ¶
func BuildEnviron ¶ added in v0.24.0
BuildEnviron turns the environ map into a list of strings
func CanonicalImageName ¶ added in v0.19.1
CanonicalImageName converts the convenience prefixes into official paths, and ensures there is a tag suffix, by appending :latest if required.
func GetFragments ¶
func GetWorkerPodUuids ¶ added in v0.25.0
func NewPathWaiter ¶ added in v0.18.5
NewPathWaiter waits until the path appears
func NewWaiter ¶ added in v0.18.5
NewWaiter wraps a simple Wait() call in a goroutine, so multiple events can be awaited using select.
func ParseEnviron ¶ added in v0.24.0
ParseEnviron extracts all environment variables into a map
func UpdateEnviron ¶ added in v0.24.0
UpdateEnviron updates the map with a name=value
func VisitPods ¶ added in v0.18.0
func VisitPods(walker func(*VisitedPod) bool) error
VisitPods visits all pods, until the walker returns false.
func WarnOnFailure ¶ added in v0.18.2
func WarnOnFailure(err error)
func WorkerPodDir ¶ added in v0.18.0
Types ¶
type ClassOptionsT ¶ added in v0.14.0
type CommandT ¶ added in v0.18.0
type CommandT struct {
// contains filtered or unexported fields
}
func NewCommand ¶ added in v0.18.0
func (*CommandT) AppendArgs ¶ added in v0.18.0
func (*CommandT) PreserveFile ¶ added in v0.18.0
func (*CommandT) SetEnviron ¶ added in v0.18.0
func (*CommandT) StartDaemon ¶ added in v1.0.0
type ImageAliasT ¶ added in v0.5.0
type ModeOptionsT ¶ added in v0.14.0
type ModeOptionsT map[string]ClassOptionsT
type RunnerT ¶ added in v0.5.0
type RunnerT struct {
// contains filtered or unexported fields
}
func (*RunnerT) RemoveTempFiles ¶ added in v0.18.2
func (r *RunnerT) RemoveTempFiles()
type VisitedPod ¶ added in v0.18.0
type VisitedPod struct {
UUID string
AppName string
Image string
State string
Created string
Started string
}
func (*VisitedPod) String ¶ added in v0.19.0
func (p *VisitedPod) String() string
type Worker ¶ added in v0.18.0
type Worker struct {
AppName string
UUID string
Podlock *os.File
// contains filtered or unexported fields
}
func (*Worker) FoundPod ¶ added in v0.18.0
FoundPod returns whether we found (and locked) a suitable pod.
func (*Worker) InitializePod ¶ added in v0.18.0
InitializePod sets up a new pod for use as a worker, and locks it.
func (*Worker) LockPod ¶ added in v0.18.0
LockPod attempts to acquire a shared lock on the pod, without blocking.
func (*Worker) WarnOnFailureIfVerbose ¶ added in v0.24.0
WarnOnFailureIfVerbose warns if there is an error and we are in verbose mode
Source Files
Directories