NAS-120628 / 23.10 / Add IPFS app to community train

[stavros-k]

• Run as non-root (expect permissions container)
• Permissions containers has its Resources is limited to 512M + 1vcpu
• Configurable ports (applies when hostnet is enabled too)
• Allow for user defined env vars
• Apply port/headers configuration on each startup (Resources is limited to 512M + 1vcpu)
  • Maybe make headers optional?
• Allow custom config commands to be appended on the init script? Can be quite challenging for json payload. as users will be expected to correctly escape double quotes.

---

• Should this be named kubo or ipfs? Recently renamed to kubo (Minimal rename of go-ipfs in 2022Q2 ipfs/kubo#8959)
• Allow for user defined extra storage? Can't find something concrete if this app needs extra.

[bugclerk]

Jira URL: https://ixsystems.atlassian.net/browse/NAS-120628

[Qubad786]

Missing label

[stavros-k]

It's on purpose, As it's the same as the group name. And it just shows the same text twice

[Qubad786]

We are missing upgrade strategies files so these apps won't get updates..
Also are we going to chown the storage paths?

[stavros-k]

We are missing upgrade strategies files so these apps won't get updates.. Also are we going to chown the storage paths?

I'll need help with the update strategies, at least until I get how it works.

From my testing chown is needed for both host path and ixVolumes,
because the app does not runs as root.

[Qubad786]

@stavros-k for apps which are already present in charts train like ipfs - we can copy the strategies directly and for apps which don't already have one,please create tickets for those..

Where are we doing the chown?

[stavros-k]

@stavros-k for apps which are already present in charts train like ipfs - we can copy the strategies directly and for apps which don't already have one,please create tickets for those..

Where are we doing the chown?

We chown data and staging

[Qubad786]

And this happens only once on install?

[stavros-k]

And this happens only once on install?

Currently is at every startup, that was because I had to fix permissions before the init-config container runs. But permissions container was running after.

But with a little change I did in common before we merge it, I can now run it once at installation.

[Qubad786]

I think it should be once on installation as chown can be expensive..

[stavros-k]

I think it should be once on installation as chown can be expensive..

Agreed.

[Qubad786]

Do you think having another workload which only targets the install time workload makes more sense?
It feels weird that we have a workload defined which will be actually running ipfs and then we have under init container some metadata which says that this is only applicable on installatino of chart?

[stavros-k]

So the 01-permissions container is marked as type: install. Which common puts it between an if block of .Release.IsInstall.
Meaning it will only render at installation, upgrades will not render this at all.
ipfs container does not run as root, so it won't be able to do any chown.

The 02-init-config is type: init, meaning it will get rendered (and run on every start of the app).
Which in this case is needed as it configures the ports.

[Qubad786]

I see..i was seeing this differently as being a pre-install job or something but obviously that is not the case

[stavros-k]

Nop, it's just containers in the same Deployment.

Opted to not go for jobs in this case, as it's quick actions. And spinning a whole extra pod would require more configuration