-
-
Notifications
You must be signed in to change notification settings - Fork 816
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature] Docker container overhaul #4300
Comments
High level overview and TODO trackerdeveloping in https://github.com/feederbox826/stash-s6 container
Building
Documentation
|
The theory of why the changes need made is on par with what I’d want implemented. Privilege reduction proper installation of software requirements my biggest issue is that it needs to help users from before keep working ideally |
Yep, my plan right now is to test it in my own repository to iron out any bugs, and write mgirations for both hotio/stash and stashapp/stash so that users can migrate over seamlessly or as seamless as |
another problem people have with docker installs is python packages, might be worth taking a look at setting up a venv so that plugins and scrapers that require other packages don't need to reinstall them on every reboot alternately we may be able to get away with just setting a couple environment variables to a mount from the host |
Could we keep a rootless container option without s6? It causes particular problems on kubernetes as it aggressively CHOWNs files and can cause a container to fail to start by exceeding the probes time limits. It must also be run as root on kubernetes to allow the inital s6 operations to take place which isn't ideal since we're aiming for rootless. |
cache and PIP_INSTALL_TARGET are both set to a volume |
the |
From a professional perspective, LSIO containers are not good containers. Calling LSIO a "convention", makes it seem like it's somehow a high grade container standard, which it's quite obviously not.
To be clear: The main container still runs as root in S6 and requires multiple(!) layers of security precautions in kubernets to be disabled. It also prevents things like supplemental groups to be used correctly.
The solution for which is adapting this behavior, not migrating to S6 overlay based containers |
Either way I'm discussing with @Leopere to drop s6 in favor of a (b)ash script but,
They're not good but they work out of the box for 99% of users which imo is more important than accomodating someone who is already building their own helmchart and should know how to build their own container k8s, as much as we would like to try and dance around, is not exactly docker, but that's a tangent for another time.
iirc #684 is not to run a root-less container, is to run as a non-priviledged user within a rooted container. |
I'll try to get the bash scripts out the door, but I have a some personal negative experiences with k8s but PRs are always welcome. |
Writhing a helm chart is a lot different than writhing containers as they are a LOT easier to standardise and maintain. Easier in terms of dev-time per application. Just because I can technically do something, doesn't mean the project I maintain has the manpower to do so on a scope of 900 help charts.
Well, in terms of security: Yes it offers a lot more options to lock-down. But in general it has quite clear best-practices that aline with docker itself as well in certain areas: But it's not rocker science:
|
As someone who has written for and used both k8s and docker, in the context of Stash, k8s makes no sense for most people. Docker is a much more easily supported standard, and more so, the level of support it generates is already high. K8s would not improve matters. |
Dropped s6 in favor of an ash entrypoint script Limitations of root-less
but that's inevitable. If you have further suggestions, you seem much more versed in rootless and k8s compatibility so I look forward to your PRs |
Please also add the |
already bundled :) https://github.com/feederbox826/stash-s6/blob/main/stash/root/defaults/requirements.txt |
Just a quick status update while I'm here - Right now it's down to figuring out mutli-arch workflow and makefile support for local and CI integration. Progress has been slow since I'm not used to this many layers of build dependencies and integrating into the existing CI for multiarch releases |
Would be great to add an environment variable to install packages like it is done in: |
not sure if this is a general comment or a critique of the current method - the current method is to search the plugin and scraper dirs reursively for matching requirements.txt as well as it being a mappable override https://github.com/feederbox826/stash-s6/blob/main/stash/root/opt/entrypoint.sh#L231-L290 |
Any news on this, do you have a rough assumption maybe for when the new docker images will become available? Thanks a lot for your efforts!! |
Sorry, I've been taking an extended break from stash et al. after getting burnt out. No promises but I'm aiming to get back on track by July 😓 |
Take care of your self @feederbox826, your expertise is appreciated but nothing worth burning out over! I'm sure someone else can pick up the great work you've already put in here |
I'm close to being able to wrap up the project independently (build-from-source excluded) I would love to have some testers that have
and some info if AMF (AMD) is officially supported |
Seems nobody here has the respective Hardware available. |
I got an ARC myself and someone else verified V4L2, I haven't figured out the build process yet |
Is your feature request related to a problem? Please describe.
$HOME/.stash
for config filesDescribe the solution you'd like
A proper LSCR.io - like base forhandling common environment variables like/config
directory instead of/root/.stash
Describe alternatives you've considered
N/A
Additional context
I want to work on this. Please assign me to this. I've done this for other projects and I am eager to finally do it for stash
The text was updated successfully, but these errors were encountered: