-
Notifications
You must be signed in to change notification settings - Fork 39
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sidecar containers for docker agents #84
Comments
There is no way to not have the GoCD agent be involved at all, since it is what knows how to send logs back securely, etc. It will be needed for that communication, for sure. |
Over the last 2 years ( since i looked at GoCD and was generally very impressed ) i looked at a lot CI/CD solutions and also there technical implementation regarding agents/docker (currently using ConcourseCI). Those CI/CD solutions split into 4 groups (in terms of docker build integration): I specifically did not pick up any features regarding For example Teamcity/Jenkins would be c), concourse/circleCi would be d) and GoCD/Bamboo is b), rarely its a) Back to the topic, all implementations in c) and d) are actually the same, they just differ in the underlying "host" running the docker builder . in c) we often see a non-docker host running a docker engine. Also a special build task called can be found "run this cli commands in a docker image aka builder". Also the host is a build agent itself and can build "locally" too, usually the default task in d) we often see the host being either very slim, docker engine only, or being a docker container itself. All tasks run in builders, no other options I call the docker-image we build in "builder" and the host creating/destroying the builds "host" The technical implementations are always the same: i) the "agent" (host) starts a docker-image and uses volume mounts for input-artifacts (materials), and outputs like logs / artfifacts. So like
II) The "Build" itself is run as a "script", which the user defines either inline in the build or a command ( pre-deployed script in the builder). For the former, the script is just saved on the host and volume-mounted into the docker-container-builder III) the build-script ( often called task ) is run using and all logs are already piped to the host
or using
IV) If docker is "a requirement" in the builder, one is required to use Docker in Docker **V) ** Some also add a configureable ( several ) cache-mount which is not flushed. Usually we are talking about And that is about it. If an "agent" is used, its used on the host and the agent can then transport whatever there is "Users" are often required to design there build-scripts that way, that the copy there artifacts into the Those concept are robust, intuitiv, do not require the user to use special docker images. The d) group removes the entire "requirements" section from the host, including the cleanup job. There is no agent pollution in a lot more. c) is nearly in all cases CI/CD solutions which have been there for a while and transition to docker-only builds somehow or consider the mix of agent-local or docker-based builds as a good solution ( why not ?) but try to have docker-based builds as first-class citizen too. Sorry for the huge post, but i see the GoCD people trying to onboard to the c) group for quiet a while now (with a crying eye) but i somewhat stick to your build-agent idea so much that you are not able to deliver the "docker builder" experience without making the docker-build image "your own" In the c) d) group people do not even create own containers, they pick It would be so great if you could just adopt the You could throw away all your docs about how to "create a docker image" (builders) and all those things. It just works. To go back to the initial issue topic, why use it as a sidekick, at all? Use the agent on the host, run the task in the builder and get all the assets back using volumes. You will go for the dead horse otherwise, since docker swarm does not support volumes (v3) and you will overcomplicate the setup more then needed. Whoever happened to read until this very bottom, sorry for the long post. Just add a sad face and punish me :) |
@EugenMayer Thank you for taking the time to write a long, informational comment! Obviously, I can't respond point-by-point. :) But, I'll try and answer some questions / comments: 1. Why use a sidecar at all? Why not just
|
Well i expected the agent to be a tunnel for materials and all kind of inputs, including the way back of the artifacts, but i cannot see a reason why the agent operates "locally" as if the task is running locally, but the task actually is running in the docker build and streaming back all the assets including the logs, live on the agents file-system using a host-mount. This seems absolutely transparent and does not break anything. Beside that, i do not intend to break the agent, it should be where it is actually for all people to use who they want it / has been used in the past. I want to give the agent a new mode of execution with pipes back - in a docker container. Every single CI/CD solution came from the very same spot GoCD is right now, and they either had a "transition" time with this kind of "agent with special run mode" or they are still use it as a permanent solution to have both worlds for any kind of user taste. So i did not intend to remove anything from the current GoCD capabilities. But hands down
that is not a Other then that, i would really love to see that! GoCD is just the best solution out there, but "builders" are just nothing "optional" or "nice to have" anymore for me. We build so many different languages with so many different versions of them, from node8-11, ruby1.9-2.4, java7-10,php5.6-7.2, golang 1.9-1.11 ... there is no way i can configure and maintain this matrix for all the projects in some "self made gocd agents" or something i would need to build myself. The developers prepare the build environment and that is what they test in locally, build in and build in in ci/prod. I would say, there are a lot of pros/cons/concerns about docker in production, a lot of opinions one can have. But i am not sure there is a single con point for building CI task in a docker container - that is why the whole sector is moving there (IMHO). And with GoCD's material/ pipeline concept..combined with that..i am dreaming again, sorry :) |
So, this would mean allowing agents to upload artifacts from outside the agent working directory? Currently, there is no validation while trying to configure a job with a build artifact which is outside of the agent working directory. But the job fails with Thought of mentioning the above because of What happens when the user that should run the primary container is not the go user that's been created in the gocd agent docker images? Access-wise I mean, in case something needs to be on a shared volume? And if something owned by some other user needs to be uploaded as an artifact to the gocd server? |
Not necessarily. The agent is running inside the container and can enforce whatever rules it wants to, right?
Yes, that changing of
If it is going to be just a Also: @EugenMayer is right. I probably misused the word "sidecar". |
This might not be the right place for it (should it be part of docker-swarm elastic agents or k8s maybe?). However, it will do for now.
The idea I want to discuss is the same as the title: Have a docker image which consists of the GoCD Agent. Use
--volumes-from
to bring that into a user-specified docker image which doesn't have the GoCD agent at all, and run it from there.The obvious benefit is that images don't need to be built/rebuilt with the GoCD agent in it. So, users can use whatever they already have, which might be based on scratch or compliant with their security protocols, etc.
All of the elastic agent plugins which use docker containers will need to change to allow this. They'll need to be aware of the sidecar container too.
@ketan says: "We'd likely need to setup some bootstrapper to change dir to the actual container before running the agent (which sits on the sidecar container). That way the
--volumes-from
can remain mounted read-only, and more importantly, pristine. It should be possible to publish just a sidecar image with the jre+golang bootstrapper for musl and glibc."The text was updated successfully, but these errors were encountered: