Right now, we are running docker builds by simply mounting the docker socket into a container. Would using docker-in-docker (dind) allow us to run builds inside a pod? If so, this could give us access to init containers and other restrictions we are applying to user pods on builds. This could be deployment-specific, but I imagine some amount of support would be needed here.
I have no idea if this would work, but it's an idea!
Hah, I've been thinking about this too!
The biggest disadvantage I could find for DIND was that we would not retain layer cache across builds. But then I realized that's only true if we used a sidecar DIND per build, but since we're on k8s we don't have to do that!
So instead I've been playing with running an additional docker daemon per host as a daemonset. We can use an emptydir volume to mount /var/lib/docker and a special hostPath to provide /var/run/docker.sock. This would allow repo2docker to easily connect to this new docker daemon, This gives us serveral advantages:
To determine:
But so far it looks very promising!
ok, I have this working now!
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
name: dind
spec:
updateStrategy:
type: RollingUpdate
selector:
matchLabels:
name: dind
template:
metadata:
labels:
name: dind
spec:
containers:
- name: dind
image: docker:dind
args:
- dockerd
- --storage-driver=overlay2
- -H unix:///var/run/dind/docker.sock
securityContext:
privileged: true
volumeMounts:
- name: varlibdocker
mountPath: /var/lib/docker
- name: rundind
mountPath: /var/run/dind
terminationGracePeriodSeconds: 30
volumes:
- name: varlibdocker
emptyDir: {}
- name: rundind
hostPath:
path: /var/run/dind/
c.BinderHub.docker_api_url = "/var/run/dind/docker.sock"Note that if you're using the debug mode where you aren't using a registry, hub will fail to launch since kubernetes won't find the image - locally, these two docker repos have entirely different image caches.
I believe this will also help us get rid of the 'disk space full' errors, since restarting the DIND pods will get rid of all state!
This was implemented with #319. It hasn't been turned on yet for mybinder.org however.
We do this now, and @minrk has turned it on for mybinder.org!
Most helpful comment
ok, I have this working now!
c.BinderHub.docker_api_url = "/var/run/dind/docker.sock"Note that if you're using the debug mode where you aren't using a registry, hub will fail to launch since kubernetes won't find the image - locally, these two docker repos have entirely different image caches.