[Devel] vzpkg

Robert Nelson robertn at the-nelsons.org
Fri Aug 29 14:55:54 PDT 2008


Robert Nelson wrote:


<Unrelated content from previous messages removed>


I've created a git repo at git:://git.the-nelsons.org/pub/vzpkg.

>>> I haven't got a repo set up but I could set one up pretty easily.
>>>
>>>> So, how are you solving the problem of different RPMDB versions? 
>>>> You know, if you have used rpm-4.2 to create/manage an RPM 
>>>> database, the moment you use rpm-4.3 on it will become incompatible 
>>>> with rpm-4.2. The only way to fix that would be to use only 
>>>> specified RPM version.
>>>>
>>>> We can definitely use rpm from inside a VE only, but then another 
>>>> problem of duplicate downloads arises.
>>>>
>>>
>>> This problem was pretty easy to solve once I figured out what was 
>>> going on.  I just remove the __db.* files before and after running 
>>> commands in the HN then RPM automatically rebuilds them on the next 
>>> command.
>> Hmm... __db* files are just some temporary cache, removing those are 
>> safe (and is sometimes required) but it's not gonna help.
>>
>> Here's a simple test:
>>
>> 1. Create a container using some template cache which uses RPM of 
>> different version than one on your host system. For example, CentOS4 
>> uses rpm-4.3, CentOS 5 -- rpm-4.4
>>
>> 2. Start a container:
>> # vzctl start NNN
>>
>> 3. Check container's RPM is working fine (it should at this point):
>> # vzctl exec NNN rpm -q rpm
>>
>> 4. Check if host RPM is working:
>> # rpm --root /vz/root/NNN -q rpm
>>
>> 5. Check if container RPM is working:
>> # vzctl exec NNN rpm -q rpm
>>
>> Sure you can insert removing of __db.* files in the appropriate 
>> places and see if it helps.
>>
>
> I've already tested this.  But I don't use rpm directly in the HN, 
> just my new vzpkg* functions which automatically remove the __db.* 
> files before and after.  The new vzpkg* commands also take care of 
> Debian packages now and will deal with Gentoo portage in the future.
>
>>> For the yum-cache, I mount the /vz/template version of the cache 
>>> into the VE.  I do the same for the apt/archives on Debian.
>>
>> If you do it read-only, how do you handle the case yum/apt wants to 
>> write something to it?
>>
>> If you do it read-write, how can you make sure that an evil container 
>> root will not put some home-baked Trojaned packages into that area?
>>
>
> Currently I mount it rw, but only while a vzpkg* command is running.  
> If the VE manages their own packages they don't get to share the 
> cache.  There is still a window while the vzpkg command is running but 
> I don't know how to specify different access to a directory for the HN 
> versus the VE.  Is there a way?
>

One possibility is to require that the VE be stopped in order to perform 
vzpkg adds or updates.  This is the opposite of the current vzpkg policy.

> Long term, the best solution is probably implementing something like 
> Debian's apt-cacher for rpms and then running apt-cacher and 
> "rpm-cacher" on the HN.
>
>>>
>>>>> Is this something that you would like to incorporate into the 
>>>>> product?
>>>>>
>>>>> One of the things I noticed was that there was a lot of 
>>>>> duplication in scripts and data files.  This is because everything 
>>>>> is stored in an OS/Version/Platform/Config directory, even though 
>>>>> there may not be any difference between the corresponding files 
>>>>> between platforms or even Versions.
>>>>>
>>>>> I have a change which is backwards-compatible which allows config 
>>>>> directories anywhere in the template tree.  Files lower in the 
>>>>> tree override any specified higher in the tree.
>>>>>
>>>>> For example, instead of this directory structure:
>>>>>
>>>>>    /vz/template
>>>>>       centos
>>>>>          4
>>>>>             i386
>>>>>                config
>>>>>                    minimal.list
>>>>>                    yum.conf
>>>>>                    ...
>>>>>             x86_64
>>>>>                config
>>>>>                    minimal.list
>>>>>                    yum.conf
>>>>>                    ...
>>>>>
>>>>> You would have:
>>>>>
>>>>>    /vz/template
>>>>>       centos
>>>>>          config
>>>>>             minimal.list
>>>>>          4
>>>>>             i386
>>>>>                config
>>>>>                   yum.conf
>>>>>                   ...
>>>>>
>>>>> This eliminates a lot of duplicate work and is less error prone.
>>>> Will the minimal.conf in 
>>>> /vz/template/centos/5/i386/config/minimal.list be an addition to, 
>>>> or a replacement for /vz/template/centos/config/minimal.list?
>>>>
>>> Currently it is a replacement, in all the templates I looked at the 
>>> files were exactly the same.  The *.list files just list the desired 
>>> functionality which doesn't change, the big changes are the 
>>> dependencies which are handled automatically.  But they definitely 
>>> don't differ between architectures for the same release.
>>>
>>> I handle things a little differently for Debian / Ubuntu since 
>>> debootstrap files provide the initial set.  Packages listed in the 
>>> *.list file are added to a --include option to debootstrap, if they 
>>> have a trailing - then they are added to --exclude.
>>>> In case it's addition, say you have a package called httpd in 
>>>> /vz/template/centos/config/minimal.list. What if in CentOS 6 we 
>>>> don't want package with that name, but want something called httpd3 
>>>> instead? I mean, we can definitely add more packages, but how can 
>>>> we "remove" packages?
>>>>
One thing may not of been clear since I didn't use it in the example.  
This doesn't just apply to the *.list files.  It includes any file / 
directory that normally resides under config.

So the gpgkeys directory could be moved to Fedora/7/config to eliminate 
the duplication under i386 and x86_64.  The install-post script could be 
under Fedora/config for the normal case and under Fedora/7/config if 
that version was particularly different.

For everything but the *.list files it really only makes sense to use 
replacement.  However the *.list files could be handled differently 
using a merge mechanism such that a trailing - on the package name means 
remove it from the inherited list.


<Unrelated content from previous messages removed>




More information about the Devel mailing list