From af11d8cd58e1c88b378f1ce1086662c9f200cba7 Mon Sep 17 00:00:00 2001 From: Andrew Keesler Date: Wed, 13 Jan 2021 09:47:39 -0500 Subject: [PATCH] Run Tilt images as root for faster reload Previously, when triggering a Tilt reload via a *.go file change, a reload would take ~13 seconds and we would see this error message in the Tilt logs for each component. Live Update failed with unexpected error: command terminated with exit code 2 Falling back to a full image build + deploy Now, Tilt should reload images a lot faster (~3 seconds) since we are running the images as root. Note! Reloading the Concierge component still takes ~13 seconds because there are 2 containers running in the Concierge namespace that use the Concierge image: the main Concierge app and the kube cert agent pod. Tilt can't live reload both of these at once, so the reload takes longer and we see this error message. Will not perform Live Update because: Error retrieving container info: can only get container info for a single pod; image target image:image/concierge has 2 pods Falling back to a full image build + deploy Signed-off-by: Andrew Keesler --- deploy/concierge/deployment.yaml | 4 ++-- deploy/concierge/values.yaml | 5 ++++- deploy/local-user-authenticator/deployment.yaml | 6 +++--- deploy/local-user-authenticator/values.yaml | 5 ++++- deploy/supervisor/deployment.yaml | 6 +++--- deploy/supervisor/values.yaml | 5 ++++- hack/lib/tilt/Tiltfile | 8 +++++++- 7 files changed, 27 insertions(+), 12 deletions(-) diff --git a/deploy/concierge/deployment.yaml b/deploy/concierge/deployment.yaml index d7044bea..f5963549 100644 --- a/deploy/concierge/deployment.yaml +++ b/deploy/concierge/deployment.yaml @@ -90,8 +90,8 @@ spec: scheduler.alpha.kubernetes.io/critical-pod: "" spec: securityContext: - runAsUser: 1001 - runAsGroup: 1001 + runAsUser: #@ data.values.run_as_user + runAsGroup: #@ data.values.run_as_group serviceAccountName: #@ defaultResourceName() #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "": imagePullSecrets: diff --git a/deploy/concierge/values.yaml b/deploy/concierge/values.yaml index 5bf74834..5aab13c8 100644 --- a/deploy/concierge/values.yaml +++ b/deploy/concierge/values.yaml @@ -1,4 +1,4 @@ -#! Copyright 2020 the Pinniped contributors. All Rights Reserved. +#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. #! SPDX-License-Identifier: Apache-2.0 #@data/values @@ -54,3 +54,6 @@ api_serving_certificate_renew_before_seconds: 2160000 #! Specify the verbosity of logging: info ("nice to know" information), debug (developer #! information), trace (timing information), all (kitchen sink). log_level: #! By default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs. + +run_as_user: 1001 #! run_as_user specifies the user ID that will own the local-user-authenticator process +run_as_group: 1001 #! run_as_group specifies the group ID that will own the local-user-authenticator process diff --git a/deploy/local-user-authenticator/deployment.yaml b/deploy/local-user-authenticator/deployment.yaml index 73fc2c50..9845800a 100644 --- a/deploy/local-user-authenticator/deployment.yaml +++ b/deploy/local-user-authenticator/deployment.yaml @@ -1,4 +1,4 @@ -#! Copyright 2020 the Pinniped contributors. All Rights Reserved. +#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. #! SPDX-License-Identifier: Apache-2.0 #@ load("@ytt:data", "data") @@ -48,8 +48,8 @@ spec: app: local-user-authenticator spec: securityContext: - runAsUser: 1001 - runAsGroup: 1001 + runAsUser: #@ data.values.run_as_user + runAsGroup: #@ data.values.run_as_group serviceAccountName: local-user-authenticator #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "": imagePullSecrets: diff --git a/deploy/local-user-authenticator/values.yaml b/deploy/local-user-authenticator/values.yaml index 86a4248d..56f61748 100644 --- a/deploy/local-user-authenticator/values.yaml +++ b/deploy/local-user-authenticator/values.yaml @@ -1,4 +1,4 @@ -#! Copyright 2020 the Pinniped contributors. All Rights Reserved. +#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. #! SPDX-License-Identifier: Apache-2.0 #@data/values @@ -14,3 +14,6 @@ image_tag: latest #! Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username="USERNAME" --docker-password="PASSWORD" --dry-run=client -o json | jq -r '.data[".dockerconfigjson"]' #! Optional. image_pull_dockerconfigjson: #! e.g. {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}} + +run_as_user: 1001 #! run_as_user specifies the user ID that will own the local-user-authenticator process +run_as_group: 1001 #! run_as_group specifies the group ID that will own the local-user-authenticator process diff --git a/deploy/supervisor/deployment.yaml b/deploy/supervisor/deployment.yaml index 1e0c75c0..da9dba99 100644 --- a/deploy/supervisor/deployment.yaml +++ b/deploy/supervisor/deployment.yaml @@ -1,4 +1,4 @@ -#! Copyright 2020 the Pinniped contributors. All Rights Reserved. +#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. #! SPDX-License-Identifier: Apache-2.0 #@ load("@ytt:data", "data") @@ -64,8 +64,8 @@ spec: labels: #@ defaultLabel() spec: securityContext: - runAsUser: 1001 - runAsGroup: 1001 + runAsUser: #@ data.values.run_as_user + runAsGroup: #@ data.values.run_as_group serviceAccountName: #@ defaultResourceName() #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "": imagePullSecrets: diff --git a/deploy/supervisor/values.yaml b/deploy/supervisor/values.yaml index a4575c3c..e522155f 100644 --- a/deploy/supervisor/values.yaml +++ b/deploy/supervisor/values.yaml @@ -1,4 +1,4 @@ -#! Copyright 2020 the Pinniped contributors. All Rights Reserved. +#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. #! SPDX-License-Identifier: Apache-2.0 #@data/values @@ -56,3 +56,6 @@ service_loadbalancer_ip: #! e.g. 1.2.3.4 #! Specify the verbosity of logging: info ("nice to know" information), debug (developer #! information), trace (timing information), all (kitchen sink). log_level: #! By default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs. + +run_as_user: 1001 #! run_as_user specifies the user ID that will own the local-user-authenticator process +run_as_group: 1001 #! run_as_group specifies the group ID that will own the local-user-authenticator process diff --git a/hack/lib/tilt/Tiltfile b/hack/lib/tilt/Tiltfile index cb455004..c1c40bf7 100644 --- a/hack/lib/tilt/Tiltfile +++ b/hack/lib/tilt/Tiltfile @@ -60,6 +60,8 @@ k8s_yaml(local([ '--file', '../../../deploy/local-user-authenticator', '--data-value', 'image_repo=image/local-user-auth', '--data-value', 'image_tag=tilt-dev', + '--data-value-yaml', 'run_as_user=0', + '--data-value-yaml', 'run_as_group=0', ])) # Tell tilt to watch all of those files for changes. watch_file('../../../deploy/local-user-authenticator') @@ -108,6 +110,8 @@ k8s_yaml(local([ '--data-value-yaml', 'service_https_nodeport_nodeport=31243', '--data-value-yaml', 'service_https_clusterip_port=443', '--data-value-yaml', 'custom_labels={mySupervisorCustomLabelName: mySupervisorCustomLabelValue}', + '--data-value-yaml', 'run_as_user=0', + '--data-value-yaml', 'run_as_group=0', ])) # Tell tilt to watch all of those files for changes. watch_file('../../../deploy/supervisor') @@ -152,7 +156,9 @@ k8s_yaml(local([ '--data-value discovery_url=$(TERM=dumb kubectl cluster-info | awk \'/master|control plane/ {print $NF}\') ' + '--data-value log_level=debug ' + '--data-value-yaml replicas=1 ' + - '--data-value-yaml "custom_labels={myConciergeCustomLabelName: myConciergeCustomLabelValue}"' + '--data-value-yaml "custom_labels={myConciergeCustomLabelName: myConciergeCustomLabelValue}" ' + + '--data-value-yaml run_as_user=0 ' + + '--data-value-yaml run_as_group=0', ])) # Tell tilt to watch all of those files for changes. watch_file('../../../deploy/concierge')