-
Notifications
You must be signed in to change notification settings - Fork 391
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support running BinderHub on K8s without Docker #1513
Comments
Hi, Thanks for getting this started ! While waiting to get this definitely running, one alternative could be to have a cluster with nodes using different runtime (or just docker available) so that one can isolate the docker requiring pods to one or more dedicated nodes. Is this something that should be documented ? |
I did some additional tests and realized that there is no need for an heterogeneous cluster. One can either have docker installed on the build nodes if the unix socket it used or use the dind deployment. For the push part, manics/repo2podman/pull/32, is a starting point. The next thing to do is to mount the docker credentials in a an appropriate folder and point podman to it (depending on whether the pod is run as a different user than root). This can be done in a similar fashion as for now however there might be a need to set the |
Following up on yesterday's conversation with @sgaist after jupyterhub/team-compass#554 (please correct me if I've said anything incorrect or missed anything!)
Nice to haves
The Podman-in-Kubernetes is the quickest solution. The nice to haves require significantly more investigation and work so may be best left for a future PR, unless we come up with a good plan now for potentially re-architecting BinderHub. |
I tested the image cleaner and from the looks of it, it is working. However, there might be one thing that we maybe should add to the documentation somewhere: unless the cleaner is connected to the host Docker daemon, and the node uses cri-dockerd (k8s >= 1.24), it cannot be relied upon to lower the disk pressure in the kubernetes image storage context. |
Thank-you very much for your suggestion. I just add an extraConfig to overload
|
Most of this was done in #1531 ! There are a few follow-ups but the key requirement (run without Docker) is done! |
Proposed change
Docker has been removed from several K8s distributions. In addition there have been requests to run BinderHub on more restricted K8s distributions such as OpenShift https://discourse.jupyter.org/t/unable-to-attach-or-mount-volumes-unmounted-volumes-dockersocket-host/14950
Alternative options
Do nothing, though in future we may need to modify the deployment instructions to ensure Docker is available on the K8s hosts.
Who would use this feature?
Someone who wants to run BinderHub on K8s without Docker.
Someone who wants to run BinderHub with reduced privileges.
(Optional): Suggest a solution
There are several non-Docker container builders available, include:
repo2podman already works https://github.com/manics/repo2podman and it shouldn't be too hard to swap-in one of the other builders.
In theory it should be possible to run these without full privileges, with limited added capabilities, e.g.
So far I've managed to get a proof-of-concept podman builder running using full privileges, supported by #1512 on AWS EKS:
There are several limitations:
The text was updated successfully, but these errors were encountered: