According to the docs, we should get around 18GB worth of disk space available on ppc64le.
Running/Building containers using the included docker service fails with “disk quota exceeded” well before the 18GB limit (in fact 9GB).
This can be seen this pypa/cibuildwheel job or this pypa/auditwheel job. This pypa/cibuildwheel job has df -h logging to help understand the issue.
The fact that the tests ran in these job would require 9GB worth of disk was also kind of worrying. I did an experiment to run all of those tests using a rootless docker service instead:
This pypa/cibuildwheel job runs perfectly showing a disk usage which increased by ~1.5GB which is what I would expect (the peak usage is certainly higher, but not 7.5GB higher).
This pypa/auditwheel job also runs perfectly showing a disk usage which increased by ~1.6GB (the peak usage is certainly higher, and higher than for the cibuildwheel job, but not as high as to reach the limit)
IMHO, Travis CI should offer the option to run rootless docker or podman in LXD builders. It certainly helps with some permission issues (c.f. Ppc64le docker buildx permission issues depending on which group of workers the job runs on - #3 by mayeut) and would have helped here.
Wether we’re talking about podman or rootless docker, it’s challenging to set those up in a generic way on all those “exotic” platforms and incurs a maintenance cost on projects working around the “native docker service” limitations offered by Travis CI which should thus be fixed by providing alternatives.
Podman is not available in the default Ubuntu repositories and a newer version of Ubuntu than the default Travis one is needed. Podman assumes a Fedora/CentOS/RHEL container configuration (/etc/containers/registries.conf).
The problem with rootless containers is, when doing so it emulates a TCP/IP stack in userland and allows to use a network namespace from a container and let it access the outside world (with some limitations). These limitations can be a garden variety of different things, rate limit, all the way from people try nefarious things.
Flannel VXLAN seems to work via how it encapsulates packets, all in all there’s a lot of runtime vulnerabilities. You can certainly replace Docker with Podman via:
I will bring this topic up to some others and see what they ultimately think. I don’t think it’s a bad idea at all. It obviously takes a bit more knowledge on the end user side, but again I’m not opposed to bringing this up, and I will bring it up and keep you posted.
Thanks for the sample config, I will try that on the pypa/cibuildwheel project & get back with my findings.
Thanks also for the caveats about networking.
pypa/auditwheel can’t use podman for now because it uses the docker python package which relies on a docker daemon running (I should have seen this before considering podman as a viable direct alternative).
I tried to setup the new OBS repo (except on ppc64le where the package is not available). I could install it but I’ve never been able to run anything, followed multiple pointers to resolve this but couldn’t.
It always ended up with some error. I’m clearly no expert on podman (nor docker) & couldn’t find my way around those errors.