buildah icon indicating copy to clipboard operation
buildah copied to clipboard

Published 20 hours ago verified publisher icon containers

RFC: buildah bud cache network namespace for all run statements

Open Luap99 opened this issue 3 years ago • 8 comments

When building a dockerfile with more than one run statement and private networking set, buildah will create a new network namespace each time. Network setup and teardown is slow especially for CNI (60-100 ms on my laptop just for one setup). I think we can improve the build time when we reuse the network namespace.

One problem with this could be when a process is modifying the network namespace and the next run command wants to start from a "clean" state. Also I do not think this can work with custom uid/gid mapping.

Luap99 avatar Jan 12 '22 13:01 Luap99

@Luap99 I don't think we should do this by default for the very same reason that each RUN has ability to modify and playaround in network namespace and other RUN should not inherit those changes unless specified.

Do you think we could have a dedicated flag for advanced users --share-namespaces [] where users could do it if they want to but I doubt if any regular user would like to do it.

flouthoc avatar Jan 13 '22 09:01 flouthoc

If the container is run with seccomp and restricted capabilities (which is the default AFAIK) you cannot change the network namespace in any meaningful way. I think this could be a good way to save build time. We need to execute the network stack every time, also if we really enable dns by default for netavark then this will get even slower.

Luap99 avatar Jan 13 '22 09:01 Luap99

BTW I just tried this with docker build and they share the same namespace

Luap99 avatar Jan 13 '22 10:01 Luap99

Do you think we could have a dedicated flag for advanced users --share-namespaces [] where users could do it if they want to but I doubt if any regular user would like to do it.

Then this should be other-way around for the people who want to do changes with custom seccomp and capabilities maybe --dont-share-namespaces [].

flouthoc avatar Jan 13 '22 10:01 flouthoc

A friendly reminder that this issue had no activity for 30 days.

github-actions[bot] avatar Feb 13 '22 00:02 github-actions[bot]

If this is not a problem with netavark, should we close?

rhatdan avatar Feb 14 '22 21:02 rhatdan

Netavark is faster than CNI but it is still slow (about 40 ms for a simple setup call). I think this could safe a lot of time for people with many run statements.

Luap99 avatar Feb 15 '22 14:02 Luap99

What is your definition of many run statements? I could potentially see this in CI systems, but I think in the real work not likely to be seen. I don't think this effects RUN commands in Containerfiles. My fear here is the complexity of cleaning this up. @nalind WDYT?

rhatdan avatar Feb 15 '22 19:02 rhatdan

A friendly reminder that this issue had no activity for 30 days.

github-actions[bot] avatar Nov 20 '22 00:11 github-actions[bot]

@Luap99 interested in opening a PR to add this feature?

rhatdan avatar Nov 21 '22 19:11 rhatdan

A friendly reminder that this issue had no activity for 30 days.

github-actions[bot] avatar Dec 24 '22 00:12 github-actions[bot]

@flouthoc any time to work on this?

rhatdan avatar Jan 03 '23 18:01 rhatdan

A friendly reminder that this issue had no activity for 30 days.

github-actions[bot] avatar Feb 12 '23 00:02 github-actions[bot]

Since no one ever moved forward on this, and I am not sure it saves much in the real world, closing.

rhatdan avatar Feb 19 '23 18:02 rhatdan